Microsoft .NET Framework Elevation of Privilege Vulnerabilities

Last Update Date: 11 Nov 2015 16:49 Release Date: 11 Nov 2015 3361 Views

RISK: Medium Risk

TYPE: Operating Systems - Windows OS

.NET Information Disclosure Vulnerability
An information disclosure vulnerability exists in the .NET Framework DTD parsing of certain specially crafted XML files. An attacker who successfully exploited this vulnerability could gain read access to local files on the target system.
.NET Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists when ASP.NET improperly validates values in HTTP requests, exposing users to a potential cross-site scripting (XSS) attack. An attacker who successfully exploited the vulnerability could leverage a vulnerable website to inject client-side script into a user’s browser and ultimately modify or spoof content, conduct phishing activities, disclose information, or perform any action on the vulnerable website that the target user has permission to perform.
.NET ASLR Bypass
A security feature bypass exists in a .NET Framework component that does not properly implement the Address Space Layout Randomization (ASLR) security feature, which protects users from a broad class of vulnerabilities. The ASLR bypass could allow an attacker to bypass the security feature and then load additional malicious code in an attempt to exploit another vulnerability. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass in conjunction with another vulnerability, such as a remote code execution vulnerability, to run arbitrary code.