Medium severity6.1NVD Advisory· Published Jan 31, 2011· Updated Apr 29, 2026

CVE-2011-0096

Description

The MHTML protocol handler in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly handle a MIME format in a request for content blocks in a document, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site that is visited in Internet Explorer, aka "MHTML Mime-Formatted Request Vulnerability."

Affected products

Microsoft/Windows 2003 Server2 versions
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*
Microsoft/Windows 7
cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*
Microsoft/Windows Server 2003
cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*
Microsoft/Windows Server 20088 versions
cpe:2.3:o:microsoft:windows_server_2008:*:*:itanium:*:*:*:*:*+ 7 more
- cpe:2.3:o:microsoft:windows_server_2008:*:*:itanium:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:*:*:x32:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:*:*:x64:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x32:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x64:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:*:itanium:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:*:x64:*:*:*:*:*
Microsoft/Windows Vista2 versions
cpe:2.3:o:microsoft:windows_vista:*:sp1:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_vista:*:sp1:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
Microsoft/Windows Xp2 versions
cpe:2.3:o:microsoft:windows_xp:*:sp2:x64:*:*:*:*:*+ 1 more
- cpe:2.3:o:microsoft:windows_xp:*:sp2:x64:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.80vul.com/webzine_0x05/0x05%20IE%E4%B8%8BMHTML%E5%8D%8F%E8%AE%AE%E5%B8%A6%E6%9D%A5%E7%9A%84%E8%B7%A8%E5%9F%9F%E5%8D%B1%E5%AE%B3.htmlnvdExploit
www.exploit-db.com/exploits/16071nvdExploit
secunia.com/advisories/43093nvdVendor Advisory
www.microsoft.com/technet/security/advisory/2501696.mspxnvdVendor Advisory
www.vupen.com/english/advisories/2011/0242nvdVendor Advisory
www.kb.cert.org/vuls/id/326549nvdUS Government Resource
www.us-cert.gov/cas/techalerts/TA11-102A.htmlnvdUS Government Resource
blogs.technet.com/b/msrc/archive/2011/01/28/microsoft-releases-security-advisory-2501696.aspxnvd
blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mhtml-script-injection-vulnerability.aspxnvd
osvdb.org/70693nvd
www.securityfocus.com/bid/46055nvd
www.securitytracker.com/idnvd
docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-026nvd
exchange.xforce.ibmcloud.com/vulnerabilities/65000nvd
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6956nvd

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.056
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000