Cyber Resilience

CVE-2017-0210

HighCISA KEVActive ExploitationEUVD Exploited

Published: 12 April 2017

Published
12 April 2017
Modified
22 April 2026
KEV Added
24 May 2022
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.4296 97.6th percentile
Risk Priority 63 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-0210 is a high-severity an unspecified weakness vulnerability in Microsoft Internet Explorer. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-46 (Cross Domain Policy Enforcement).

Deeper analysis

An elevation of privilege vulnerability tracked as CVE-2017-0210 affects Internet Explorer when the browser fails to properly enforce cross-domain policies. This flaw permits an attacker to access information from one domain and inject it into another, as described in the official disclosure published on 2017-04-12 with a CVSS 3.1 base score of 8.8.

An unauthenticated remote attacker can exploit the issue over the network by convincing a user to visit a malicious web page, after which the attacker can read or modify content across domain boundaries with high impact to confidentiality, integrity, and availability. No prior authentication or special privileges are required on the target system.

The Microsoft Security Response Center advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0210 and related vendor bulletins provide official mitigation guidance and patch information for affected Internet Explorer installations.

EU & UK References

Vulnerability details

An elevation of privilege vulnerability exists when Internet Explorer does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain and inject it into another domain, aka "Internet Explorer Elevation of Privilege Vulnerability."

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
internet explorer
10, 11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires enforcement of cross-domain policies, which the CVE shows IE failed to do, blocking unauthorized information flow between domains.

prevent

Enforces rules that prevent information from one domain being read or injected into another, directly mitigating the described cross-domain violation.

prevent

Enforces access decisions based on domain boundaries so that content cannot be accessed or modified across domains without authorization.

References