CVE-2009-0419

CVE Database · CVE-2009-0419

CVE-2009-0419

· N/AModified

CVSS v3.1

N/A

EPSS

15.34%

Published

Feb 4, 2009

Modified

Apr 22, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Microsoft XML Core Services, as used in Microsoft Expression Web, Office, Internet Explorer 6 and 7, and other products, does not properly restrict access from web pages to Set-Cookie2 HTTP response headers, which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls, related to the HTTPOnly protection mechanism. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-4033.

Weaknesses (CWE)

CWE-264

Affected Products (1)

microsoft · xml_core_servicesvulnerable

References (4)

https://bugzilla.mozilla.org/show_bug.cgi?id=380418

https://exchange.xforce.ibmcloud.com/vulnerabilities/48815

https://bugzilla.mozilla.org/show_bug.cgi?id=380418

https://exchange.xforce.ibmcloud.com/vulnerabilities/48815

KEV Catalog EPSS Scores Vendors All CVEs