VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 7, 2003· Updated Jun 16, 2026

CVE-2003-0009

CVE-2003-0009

Description

Cross-site scripting (XSS) vulnerability in Help and Support Center for Microsoft Windows Me allows remote attackers to execute arbitrary script in the Local Computer security context via an hcp:// URL with the malicious script in the topic parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

4
  • Microsoft/Windows Me2 versions
    cpe:2.3:o:microsoft:windows_me:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:o:microsoft:windows_me:*:*:*:*:*:*:*:*
    • (no CPE)
  • Microsoft/Windows Xp2 versions
    cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*+ 1 more
    • cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*
    • cpe:2.3:o:microsoft:windows_xp:*:*:home:*:*:*:*:*

Patches

Vulnerability mechanics

Root cause

"Insufficient bounds checking on input supplied through the HCP URI parameter allows for a buffer overflow."

Attack vector

An attacker can exploit this vulnerability by crafting a malicious HCP request with an overly long string in the topic parameter. This crafted request, when processed by the Help and Support Center, triggers a buffer overflow condition. The overflow may result in the execution of attacker-supplied code in the context of the local computer's security context [ref_id=1].

Affected code

The vulnerability lies within the Help and Support Center for Microsoft Windows Me, specifically in how it handles input from the HCP URI parameter. The exploit code targets the winhlp32.exe process and manipulates .CNT files to achieve code execution [ref_id=1].

What the fix does

The advisory does not specify a patch or remediation steps. Therefore, no fix explanation can be provided.

Preconditions

  • inputThe target system must be running Microsoft Windows Me.
  • inputThe attacker must be able to trick the user into opening a specially crafted HCP:// URL or a malicious .CNT file.

Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.