CVE-2009-0419 Information

Description

Microsoft XML Core Services as used in Microsoft Expression Web Office Internet Explorer 6 and 7 and other products does not properly restrict access from web pages to Set-Cookie2 HTTP response headers which allows remote attackers to obtain sensitive information from cookies via XMLHttpRequest calls related to the HTTPOnly protection mechanism. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2008-4033.

Reference

https://bugzilla.mozilla.org/show_bug.cgi?id=380418 https://exchange.xforce.ibmcloud.com/vulnerabilities/48815