Microsoft Internet Explorer 8, and possibly other versions, detects http content in https web pages only when the top-level frame uses https, which allows man-in-the-middle attackers to execute arbitrary web script, in an https sites context, by modifying an http page to include an https iframe that references a script file on an http site, related to HTTP-Intended-but-HTTPS-Loadable (HPIHSL) pages.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Internet_explorer | Microsoft | * | 8 (including) |
| Internet_explorer | Microsoft | 5 (including) | 5 (including) |
| Internet_explorer | Microsoft | 5.01-sp4 (including) | 5.01-sp4 (including) |
| Internet_explorer | Microsoft | 6 (including) | 6 (including) |
| Internet_explorer | Microsoft | 6-sp1 (including) | 6-sp1 (including) |
| Internet_explorer | Microsoft | 6-sp2 (including) | 6-sp2 (including) |
| Internet_explorer | Microsoft | 7 (including) | 7 (including) |
| Internet_explorer | Microsoft | 7.0.5730 (including) | 7.0.5730 (including) |
| Internet_explorer | Microsoft | 8 (including) | 8 (including) |
| Internet_explorer | Microsoft | 8-beta1 (including) | 8-beta1 (including) |
| Internet_explorer | Microsoft | 8.0b (including) | 8.0b (including) |
| Pocket_ie | Microsoft | 1.0 (including) | 1.0 (including) |
| Pocket_ie | Microsoft | 1.1 (including) | 1.1 (including) |
| Pocket_ie | Microsoft | 2.0 (including) | 2.0 (including) |
| Pocket_ie | Microsoft | 3.0 (including) | 3.0 (including) |
| Pocket_ie | Microsoft | 4.0 (including) | 4.0 (including) |
| Pocket_ie | Microsoft | 2002 (including) | 2002 (including) |
| Pocket_ie | Microsoft | 2003 (including) | 2003 (including) |