Internet Explorer: Saved XSS (

Internet Explorer-SA-11/14/2010: Internet Explorer – Saved XSS vulnerability


This hole is similar to Cross-Site Scripting vulnerability in Internet
Explorer ( – CVE-2007-4478
( Which I
found in August 2007 and informed Microsoft, and they ignored it and didn’t
fix it in IE6, and they didn’t fixed it in IE7 (and also in IE6) after my
informing in 2008. But they silently and lamerly fixed it in IE8, as I found
in May 2010 when checked this hole in IE8. This vulnerability is different
from previous one in that, that the attack is going not via saving web page,
but saving web archive (mht/mhtml file) – similarly to Cross-Site Scripting
in Opera (, which I wrote about in 2008. All

versions of IE6, IE7 and IE8 are affected to this hole.