Analyst readout for executives and security teams
Plain-English summary
CVE-2008-3474 is an information disclosure flaw in Microsoft Internet Explorer 6 and 7. A malicious HTML document could cause the browser to misjudge where script content came from, letting an attacker bypass cross-domain protections and read sensitive information if a user opens the content.
Executive priority
Treat as a legacy-risk cleanup item unless IE6 or IE7 remains in use. If those browsers still support business-critical workflows, prioritize patch verification, browser retirement planning, and network restrictions because confidentiality impact is high.
Technical view
The issue is a same-origin or security-zone origin determination failure in IE6 and IE7 script handling. The CVSS vector indicates network attackability, low complexity, no privileges, required user interaction, unchanged scope, and high confidentiality impact only.
Likely exposure
Exposure is mainly legacy environments still running Internet Explorer 6 or 7, including old workstations, kiosks, embedded systems, or application compatibility islands. Modern supported browsers are not identified as affected in the provided bundle.
Exploitation context
The bundle does not cite active exploitation, and KEV status is false. Exploitation requires user interaction with crafted HTML content. The main risk is confidential data leakage across domains or security zones, not code execution or service disruption.
Researcher notes
The provided affected-product metadata is incomplete, but the CVE description identifies IE6 and IE7. No CWE is supplied. Research should focus on origin/security-zone boundary behavior, patch applicability, and whether legacy compatibility systems still expose users to crafted HTML.
Mitigation direction
- Apply Microsoft MS08-058 or the referenced KB956390 update where applicable.
- Retire Internet Explorer 6 and 7 wherever business applications allow.
- Restrict legacy IE systems from untrusted web and email content.
- Check current Microsoft or vendor guidance for unsupported legacy dependencies.
Validation and detection
- Inventory endpoints and applications that still launch IE6 or IE7.
- Verify MS08-058 or KB956390 patch status through vulnerability management records.
- Use the referenced OVAL definition where your scanner supports it.
- Confirm legacy browsers cannot reach untrusted internet content.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CVE-2008-3474 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 6.5 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N2.83.6Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
6.5MediumVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Source materials
- CVE List V5 sourceCVE List V5
- ie-script-origin-information-disclosure(45854)CVE reference · vdb-entry, x_refsource_XF
- SSRT080143CVE reference · vendor-advisory, x_refsource_HP
- MS08-058CVE reference · vendor-advisory, x_refsource_MS
- ADV-2008-2809CVE reference · vdb-entry, x_refsource_VUPEN
- oval:org.mitre.oval:def:13299CVE reference · vdb-entry, signature
- 1021047CVE reference · vdb-entry, x_refsource_SECTRACK
- TA08-288ACVE reference · third-party-advisory, x_refsource_CERT
- win-ms08kb956390-update(45565)CVE reference · vdb-entry, x_refsource_XF
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
