CVE-2012-2423

Name of the Vulnerable Software and Affected Versions Intuit QuickBooks versions 2009 through 2012

Description The issue concerns the intu-help-qb handlers in HelpAsyncPluggableProtocol.dll. When Internet Explorer is used, these handlers provide different responses to remote requests based on the validity of a ZIP pathname. This allows remote attackers to potentially obtain sensitive information about the installation path and product version by making a series of requests involving the Msxml2.XMLHTTP object.

Recommendations For Intuit QuickBooks versions 2009 through 2012, consider restricting access to the HelpAsyncPluggableProtocol.dll handlers as a temporary mitigation measure until a patch is available. Avoid using the Msxml2.XMLHTTP object in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.