CVE-2007-5348

Microsoft Digital Image Suite 2006 - Remote Code Execution via Crafted Gradient Fill Input

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2007-5348. PoCs published by John Smith.

AI-analyzed exploit summary This exploit leverages a vulnerability in GDI+ (CVE-2007-5348) via a malformed VML (Vector Markup Language) object in Internet Explorer. The exploit manipulates the 'focussize' and 'focusposition' properties to trigger a memory corruption issue, potentially leading to remote code execution.

Description

Integer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, Office XP SP3, Office 2003 SP2 and SP3, 2007 Microsoft Office System Gold and SP1, Visio 2002 SP2, PowerPoint Viewer 2003, Works 8, Digital Image Suite 2006, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2, Report Viewer 2005 SP1 and 2008, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via an image file with crafted gradient sizes in gradient fill input, which triggers a heap-based buffer overflow related to GdiPlus.dll and VGX.DLL, aka "GDI+ VML Buffer Overrun Vulnerability."

Exploits (1)

exploitdb WORKING POC VERIFIED
by John Smith · htmldoswindows
https://www.exploit-db.com/exploits/6619

This exploit leverages a vulnerability in GDI+ (CVE-2007-5348) via a malformed VML (Vector Markup Language) object in Internet Explorer. The exploit manipulates the 'focussize' and 'focusposition' properties to trigger a memory corruption issue, potentially leading to remote code execution.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Microsoft Internet Explorer 6.0.2900.2180 with Gdiplus.dll 5.1.3102.2180 on Windows XP SP2
No auth needed
Prerequisites: Victim must visit a malicious webpage or open a malicious HTML file · Target system must have vulnerable GDI+ and Internet Explorer versions
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/32154
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=122235754013992&w=2
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2696
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA08-253A.html
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2520
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1020834
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6055
Third Party Advisory third-party-advisory x_refsource_idefense
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=743
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/31018

Scores

EPSS 0.5289
EPSS Percentile 98.8%

Details

CWE
CWE-189
Status published
Products (19)
microsoft/digital_image_suite 2006
microsoft/forefront_client_security 1.0
microsoft/internet_explorer 6 sp1
microsoft/office 2003 sp2 (2 CPE variants)
microsoft/office xp sp3
microsoft/office_powerpoint_viewer 2003
microsoft/office_system (2 CPE variants)
microsoft/report_viewer 2005 sp1
microsoft/report_viewer 2008
microsoft/server 2008
... and 9 more
Published Sep 11, 2008
Tracked Since Feb 18, 2026