CVE-2013-3906

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2013-3906
GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.

9.3 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References
Link Resource
http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2 Exploit
http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx Exploit
http://technet.microsoft.com/security/advisory/2896666 Patch Vendor Advisory
http://www.exploit-db.com/exploits/30011 Exploit
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-096
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp1:x64:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp1:x86:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp2:x64:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp2:x86:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:microsoft:windows_server_2008:*:sp2:itanium:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x86:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:microsoft:lync:2010:*:attendee:*:*:*:*:*
cpe:2.3:a:microsoft:lync:2010:*:x64:*:*:*:*:*
cpe:2.3:a:microsoft:lync:2010:*:x86:*:*:*:*:*
cpe:2.3:a:microsoft:lync:2013:-:x64:*:*:*:*:*
cpe:2.3:a:microsoft:lync:2013:-:x86:*:*:*:*:*
cpe:2.3:a:microsoft:lync_basic:2013:-:x64:*:*:*:*:*
cpe:2.3:a:microsoft:lync_basic:2013:-:x86:*:*:*:*:*
History

07 Dec 2023, 18:38

Type Values Removed Values Added
CPE cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*
Information

Published : 2013-11-06 15:55

Updated : 2023-12-10 11:16

NVD link : CVE-2013-3906

Mitre link : CVE-2013-3906

CVE.ORG link : CVE-2013-3906

JSON object : View

Products Affected

microsoft

  • lync
  • office
  • windows_vista
  • lync_basic
  • windows_server_2008
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')