CVE-2010-0248

HIGH

Microsoft Internet Explorer - Code Injection

Title source: rule

Description

Microsoft Internet Explorer 6, 6 SP1, 7, and 8 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code by accessing an object that (1) was not properly initialized or (2) is deleted, leading to memory corruption, aka "HTML Object Memory Corruption Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/18642

View Code ZIP pw:eip

metasploit WORKING POC NORMAL

by Peter Vreugdenhil, juan vazquez, sinn3r · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms10_002_ie_object.rb

View Code ZIP pw:eip

References (3)

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/55778

[Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-002

[Third Party Advisory, VDB Entry] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8267

Scores

CVSS v3 8.1

EPSS 0.7838

EPSS Percentile 99.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-94 CWE-416

Status draft

Affected Products (27)

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

microsoft/internet_explorer

... and 12 more

Timeline

Published Jan 22, 2010

Tracked Since Feb 18, 2026