Unrated severityNVD Advisory· Published Aug 13, 2008· Updated Apr 23, 2026

CVE-2008-1448

Description

The MHTML protocol handler in a component of Microsoft Outlook Express 5.5 SP2 and 6 through SP1, and Windows Mail, does not assign the correct Internet Explorer Security Zone to UNC share pathnames, which allows remote attackers to bypass intended access restrictions and read arbitrary files via an mhtml: URI in conjunction with a redirection, aka "URL Parsing Cross-Domain Information Disclosure Vulnerability."

Affected products

Microsoft/Outlook Express3 versions
cpe:2.3:a:microsoft:outlook_express:5.5:sp2:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:microsoft:outlook_express:5.5:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook_express:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:outlook_express:6.0:sp1:*:*:*:*:*:*
Microsoft/Windows Mail
cpe:2.3:a:microsoft:windows_mail:*:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

secunia.com/advisories/31415nvdPatchVendor Advisory
www.securityfocus.com/bid/30585nvdPatch
www.vupen.com/english/advisories/2008/2352nvdVendor Advisory
www.us-cert.gov/cas/techalerts/TA08-225A.htmlnvdUS Government Resource
marc.infonvd
www.coresecurity.com/content/internet-explorer-zone-elevationnvd
www.securityfocus.com/archive/1/495458/100/0/threadednvd
www.securitytracker.com/idnvd
www.securitytracker.com/idnvd
docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-048nvd
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5886nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.036
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000