CVE-2013-3897

Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted JavaScript code that uses the onpropertychange event handler, as exploited in the wild in September and October 2013, aka "Internet Explorer Memory Corruption Vulnerability."

CVSS v3 8.8 HIGH
CVSS v2.0 9.3 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.3^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx	Broken Link Vendor Advisory
http://www.us-cert.gov/ncas/alerts/TA13-288A	Third Party Advisory US Government Resource
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080	Patch Vendor Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18989	Broken Link

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:*

OR	cpe:2.3:o:microsoft:windows_server_2003:-:sp2::::::
	cpe:2.3:o:microsoft:windows_xp:-:sp2:::professional::x64:
	cpe:2.3:o:microsoft:windows_xp:-:sp3::::::

Configuration 2 (hide)

AND

cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:*

OR	cpe:2.3:o:microsoft:windows_server_2003:-:sp2::::::
	cpe:2.3:o:microsoft:windows_server_2008:-:sp2::::::
	cpe:2.3:o:microsoft:windows_vista:-:sp2::::::
	cpe:2.3:o:microsoft:windows_xp:-:sp2:::professional::x64:
	cpe:2.3:o:microsoft:windows_xp:-:sp3::::::

Configuration 3 (hide)

AND

cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*

OR	cpe:2.3:o:microsoft:windows_7:-:sp1::::::
	cpe:2.3:o:microsoft:windows_server_2003:-:sp2::::::
	cpe:2.3:o:microsoft:windows_server_2008:-:sp2::::::
	cpe:2.3:o:microsoft:windows_server_2008:r2:sp1::::::
	cpe:2.3:o:microsoft:windows_vista:-:sp2::::::
	cpe:2.3:o:microsoft:windows_xp:-:sp2:::professional::x64:
	cpe:2.3:o:microsoft:windows_xp:-:sp3::::::

Configuration 4 (hide)

AND

cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*

OR	cpe:2.3:o:microsoft:windows_7:-:sp1::::::
	cpe:2.3:o:microsoft:windows_server_2008:-:sp2::::::
	cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:::::x64:*
	cpe:2.3:o:microsoft:windows_vista:-:sp2::::::

Configuration 5 (hide)

AND

cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*

OR	cpe:2.3:o:microsoft:windows_7:-:sp1::::::
	cpe:2.3:o:microsoft:windows_8:-:::::::*
	cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:::::x64:*
	cpe:2.3:o:microsoft:windows_server_2012:-:::::::*

Configuration 6 (hide)

AND

cpe:2.3:a:microsoft:internet_explorer:11:-:*:*:*:*:*:*

OR	cpe:2.3:o:microsoft:windows_8.1:-:::::::*
	cpe:2.3:o:microsoft:windows_rt_8.1:-:::::::*
	cpe:2.3:o:microsoft:windows_server_2012:r2:::::::*

History

16 Jul 2024, 17:35

Type	Values Removed	Values Added
CPE	cpe:2.3:a:microsoft:internet_explorer:11:developer-preview:::::: cpe:2.3:a:microsoft:internet_explorer:11:release-preview::::::	cpe:2.3:o:microsoft:windows_vista:-:sp2:::::: cpe:2.3:o:microsoft:windows_xp:-:sp2:::professional::x64: cpe:2.3:o:microsoft:windows_server_2003:-:sp2:::::: cpe:2.3:o:microsoft:windows_rt_8.1:-:::::::* cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:::::: cpe:2.3:o:microsoft:windows_7:-:sp1:::::: cpe:2.3:o:microsoft:windows_8.1:-:::::::* cpe:2.3:o:microsoft:windows_server_2012:-:::::::* cpe:2.3:o:microsoft:windows_8:-:::::::* cpe:2.3:o:microsoft:windows_xp:-:sp3:::::: cpe:2.3:o:microsoft:windows_server_2008:-:sp2:::::: cpe:2.3:a:microsoft:internet_explorer:11:-:::::: cpe:2.3:o:microsoft:windows_server_2012:r2:::::::* cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:::::x64:*
First Time		Microsoft windows Server 2003 Microsoft windows Rt 8.1 Microsoft windows Xp Microsoft windows 7 Microsoft windows Server 2012 Microsoft windows Vista Microsoft windows 8.1 Microsoft windows 8 Microsoft windows Server 2008
CVSS	v2 : ~~9.3~~ v3 : ~~unknown~~	v2 : 9.3 v3 : 8.8
References	~~() http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx - Vendor Advisory~~	() http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx - Broken Link, Vendor Advisory
References	~~() http://www.us-cert.gov/ncas/alerts/TA13-288A - US Government Resource~~	() http://www.us-cert.gov/ncas/alerts/TA13-288A - Third Party Advisory, US Government Resource
References	~~() https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080 -~~	() https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080 - Patch, Vendor Advisory
References	~~() https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18989 -~~	() https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18989 - Broken Link
CWE	~~CWE-399~~	CWE-416

Information

Published : 2013-10-09 14:54

Updated : 2024-07-16 17:35

NVD link : CVE-2013-3897

Mitre link : CVE-2013-3897

CVE.ORG link : CVE-2013-3897

JSON object : View

Products Affected

microsoft

windows_vista
windows_8
windows_server_2012
windows_xp
windows_rt_8.1
internet_explorer
windows_7
windows_server_2003
windows_server_2008
windows_8.1

CWE

CWE-416

Use After Free

8.8 /10