CVE-2015-0072
Description
Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy and inject arbitrary web script or HTML via vectors involving an IFRAME element that triggers a redirect, a second IFRAME element that does not trigger a redirect, and an eval of a WindowProxy object, aka "Universal XSS (UXSS)."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Universal XSS vulnerability in IE 9-11 bypasses Same Origin Policy via IFRAME redirect and eval of WindowProxy, enabling phishing and data theft.
Vulnerability
CVE-2015-0072 is a universal cross-site scripting (UXSS) vulnerability affecting Microsoft Internet Explorer 9 through 11. It allows remote attackers to bypass the Same Origin Policy (SOP) by leveraging a sequence involving an IFRAME element that triggers a redirect, a second IFRAME that does not redirect, and an eval of a WindowProxy object [1][4]. The vulnerability was disclosed by researcher David Leo and demonstrated on Internet Explorer 11 on Windows 7 and 8.1 [4].
Exploitation
An attacker hosts a specially crafted webpage containing two IFRAMEs: one navigates to a target domain, the other remains same-origin. By closing a popup dialog and clicking a link, after approximately 7 seconds the attacker’s script is injected into the target domain’s window [4]. The attack requires no authentication or special privileges, only that the victim visits the malicious page and performs the user interaction (closing the popup and clicking). The injected script can then read and write content from the target domain, including HTTPS pages [2].
Impact
Successful exploitation completely bypasses the Same Origin Policy, allowing an attacker to execute arbitrary JavaScript in the context of any website visited by the victim. This can be used to steal sensitive data (e.g., login credentials, session tokens), perform phishing attacks by injecting fake forms, or hijack user accounts on sites such as banks or email services [2]. The browser’s address bar continues to display the legitimate domain, making the attack highly convincing [2].
Mitigation
Microsoft addressed this vulnerability in Security Bulletin MS15-018, released on March 10, 2015 [1]. The update (KB3032359) modifies how Internet Explorer enforces cross-domain policies. Users should apply the update via Windows Update. Prior to patching, no practical workaround was available; users could mitigate risk by avoiding untrusted websites or using an alternative browser. The vulnerability is not known to be exploited in the wild at the time of disclosure [4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*
- cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*
- (no CPE)range: 9-11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- innerht.ml/blog/ie-uxss.htmlnvdExploit
- packetstormsecurity.com/files/130308/Microsoft-Internet-Explorer-Universal-XSS-Proof-Of-Concept.htmlnvdExploit
- community.websense.com/blogs/securitylabs/archive/2015/02/05/another-day-another-zero-day-internet-explorer-s-turn-cve-2015-0072.aspxnvd
- seclists.org/fulldisclosure/2015/Feb/0nvd
- secunia.com/advisories/62658nvd
- www.pcworld.com/article/2879372/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-attacks.htmlnvd
- www.securityfocus.com/archive/1/534662/100/0/threadednvd
- www.securityfocus.com/bid/72489nvd
- www.securitytracker.com/id/1031888nvd
- docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-018nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/100606nvd
- nakedsecurity.sophos.com/2015/02/04/internet-explorer-has-a-cross-site-scripting-zero-day-bug/nvd
News mentions
0No linked articles in our index yet.