CVE-2013-3171

Microsoft .NET Framework <4.5 - RCE

Title source: llm
STIX 2.1

Description

The serialization functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 does not properly check the permissions of delegate objects, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application that leverages a partial-trust relationship, aka "Delegate Serialization Vulnerability."

References (3)

Core 3
Core References
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16867
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/ncas/alerts/TA13-190A

Scores

EPSS 0.2060
EPSS Percentile 97.2%

Details

CWE
CWE-94
Status published
Products (5)
microsoft/.net_framework 2.0 sp2
microsoft/.net_framework 3.5 (2 CPE variants)
microsoft/.net_framework 3.5.1
microsoft/.net_framework 4.0
microsoft/.net_framework 4.5
Published Jul 10, 2013
Tracked Since Feb 18, 2026