CVE-2007-4901

CVE-2007-4901 is a medium-severity vulnerability in Aol Aim Lite with a CVSS 2.0 base score of 5.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low.

Key facts

Description

The embedded Internet Explorer server control in AOL Instant Messenger (AIM) 6.1.41.2 and 6.2.32.1, AIM Pro, and AIM Lite does not properly constrain the use of mshtml.dll's web script and HTML functionality for incoming instant messages, which allows remote attackers to place HTML into unexpected contexts or execute arbitrary code, as demonstrated by writing arbitrary HTML to a notification window, and writing contents of arbitrary local image files to this window via IMG SRC.

Frequently asked questions

What is CVE-2007-4901?
The embedded Internet Explorer server control in AOL Instant Messenger (AIM) 6.1.41.2 and 6.2.32.1, AIM Pro, and AIM Lite does not properly constrain the use of mshtml.dll's web script and HTML functionality for incoming instant messages, which allows remote attackers to place HTML into unexpected contexts or execute arbitrary code, as demonstrated by writing arbitrary HTML to a notification window, and writing contents of arbitrary local image files to this window via IMG SRC.
How severe is CVE-2007-4901?
CVE-2007-4901 has a CVSS 2.0 base score of 5.8, rated medium severity.
Is CVE-2007-4901 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (85th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2007-4901?
CVE-2007-4901 primarily affects Aol Aim Lite. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2007-4901?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2007-4901 published?
CVE-2007-4901 was published on 2007-09-14 and last updated on 2026-06-16.

References

Affected products (3)