CVE-2013-3897

HIGH KEV

Microsoft Internet Explorer - Use After Free

Title source: rule

Description

Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted JavaScript code that uses the onpropertychange event handler, as exploited in the wild in September and October 2013, aka "Internet Explorer Memory Corruption Vulnerability."

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/28974

View Code ZIP pw:eip

metasploit WORKING POC NORMAL

by Unknown, sinn3r · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms13_080_cdisplaypointer.rb

View Code ZIP pw:eip

References (5)

[Broken Link, Vendor Advisory] http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx

[Third Party Advisory, US Government Resource] http://www.us-cert.gov/ncas/alerts/TA13-288A

[Patch, Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080

[Broken Link] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18989

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3897

Scores

CVSS v3 8.8

EPSS 0.8821

EPSS Percentile 99.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-03-03

VulnCheck KEV 2013-10-09

InTheWild.io 2018-10-12

ENISA EUVD EUVD-2013-3829

CWE

CWE-416

Status published

Products (6)

microsoft/internet_explorer 6

microsoft/internet_explorer 7

microsoft/internet_explorer 8

microsoft/internet_explorer 9

microsoft/internet_explorer 10

microsoft/internet_explorer 11

Published Oct 09, 2013

KEV Added Mar 03, 2022

Tracked Since Feb 18, 2026