CVE-2008-4020

CVE Descriptions

Cross-site scripting (XSS) vulnerability in Microsoft Office XP SP3 allows remote attackers to inject arbitrary web script or HTML via a document that contains a "Content-Disposition: attachment" header and is accessed through a cdo: URL, which renders the content instead of raising a File Download dialog box, aka "Vulnerability in Content-Disposition Header Vulnerability."

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	4.3		AV:N/AC:M/Au:N/C:N/I:P/A:N	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	23.04%	–	–
2022-04-03	–	–	23.04%	–	–
2022-07-17	–	–	23.04%	–	–
2022-08-07	–	–	23.04%	–	–
2022-09-04	–	–	23.04%	–	–
2023-03-12	–	–	–	6.04%	–
2023-04-16	–	–	–	4.81%	–
2023-05-28	–	–	–	6.66%	–
2023-09-24	–	–	–	11.64%	–
2023-10-29	–	–	–	9.92%	–
2024-01-14	–	–	–	10.68%	–
2024-02-18	–	–	–	15.59%	–
2024-03-24	–	–	–	18.82%	–
2024-06-02	–	–	–	22.63%	–
2024-07-07	–	–	–	33.58%	–
2024-09-15	–	–	–	34.93%	–
2024-12-08	–	–	–	33.99%	–
2024-12-22	–	–	–	13.98%	–
2025-01-05	–	–	–	14.76%	–
2025-02-09	–	–	–	13.55%	–
2025-01-19	–	–	–	14.76%	–
2025-02-16	–	–	–	13.55%	–
2025-03-18	–	–	–	–	31.3%
2025-03-18	–	–	–	–	31.3,%

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Date	Percentile
2022-02-06	95%
2022-04-03	96%
2022-07-17	97%
2022-08-07	96%
2022-09-04	97%
2023-03-12	92%
2023-04-16	91%
2023-05-28	93%
2023-09-24	95%
2023-10-29	94%
2024-01-14	95%
2024-02-18	96%
2024-03-24	96%
2024-06-02	97%
2024-07-07	97%
2024-09-15	97%
2024-12-08	97%
2024-12-22	96%
2025-01-05	96%
2025-02-09	96%
2025-01-19	96%
2025-02-16	96%
2025-03-18	96%
2025-03-18	96%

Products Mentioned

Configuraton 0

Microsoft>>Office >> Version xp

Microsoft>>Office >> Version xp (Open CPE detail)

References

http://www.vupen.com/english/advisories/2008/2807
Tags : vdb-entry, x_refsource_VUPEN

http://secunia.com/advisories/32138
Tags : third-party-advisory, x_refsource_SECUNIA

https://exchange.xforce.ibmcloud.com/vulnerabilities/45546
Tags : vdb-entry, x_refsource_XF

http://marc.info/?l=bugtraq&m=122479227205998&w=2
Tags : vendor-advisory, x_refsource_HP

http://jvndb.jvn.jp/ja/contents/2008/JVNDB-2008-000070.html
Tags : third-party-advisory, x_refsource_JVNDB

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-056
Tags : vendor-advisory, x_refsource_MS

http://marc.info/?l=bugtraq&m=122479227205998&w=2
Tags : vendor-advisory, x_refsource_HP

https://exchange.xforce.ibmcloud.com/vulnerabilities/45550
Tags : vdb-entry, x_refsource_XF

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5969
Tags : vdb-entry, signature, x_refsource_OVAL

http://jvn.jp/en/jp/JVN55410403/index.html
Tags : third-party-advisory, x_refsource_JVN

http://www.securitytracker.com/id?1021045
Tags : vdb-entry, x_refsource_SECTRACK

http://www.securityfocus.com/bid/31693
Tags : vdb-entry, x_refsource_BID

http://www.us-cert.gov/cas/techalerts/TA08-288A.html
Tags : third-party-advisory, x_refsource_CERT

CVE-2008-4020 : Detail