CVE-2003-1378

Microsoft Outlook and Outlook Express - Remote Code Execution via HTML Email CODEBASE Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2003-1378. PoCs published by http-equiv.

AI-analyzed exploit summary This exploit leverages a vulnerability in Microsoft Outlook and Outlook Express where arbitrary programs can be executed through objects embedded in HTML email messages. The exploit uses a CODEBASE reference and non-zero CLASSID value to execute an executable file from a known path.

Description

Microsoft Outlook Express 6.0 and Outlook 2000, with the security zone set to Internet Zone, allows remote attackers to execute arbitrary programs via an HTML email with the CODEBASE parameter set to the program, a vulnerability similar to CAN-2002-0077.

Exploits (1)

exploitdb WORKING POC VERIFIED
by http-equiv · textremotewindows
https://www.exploit-db.com/exploits/22280

This exploit leverages a vulnerability in Microsoft Outlook and Outlook Express where arbitrary programs can be executed through objects embedded in HTML email messages. The exploit uses a CODEBASE reference and non-zero CLASSID value to execute an executable file from a known path.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Microsoft Outlook and Outlook Express (versions affected by CVE-2003-1378)
No auth needed
Prerequisites: Victim must open the malicious HTML email in Outlook or Outlook Express · Known path to an executable file on the victim's system
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/312910
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/11411
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/6923
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/312929

Scores

EPSS 0.1558
EPSS Percentile 96.4%

Details

CWE
CWE-264
Status published
Products (2)
microsoft/outlook 2000 (3 CPE variants)
microsoft/outlook_express 6.0
Published Dec 31, 2003
Tracked Since Feb 18, 2026