CVE-2014-0322

HIGH KEV

MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free

Title source: metasploit

Description

Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via vectors involving crafted JavaScript code, CMarkup, and the onpropertychange attribute of a script element, as exploited in the wild in January and February 2014.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/32904

View Code ZIP pw:eip

exploitdb WORKING POC VERIFIED

by Jean-Jamil Khalife · htmlremotewindows

https://www.exploit-db.com/exploits/32851

View Code ZIP pw:eip

metasploit WORKING POC NORMAL

by Unknown, Jean-Jamil Khalife, juan vazquez · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb

View Code ZIP pw:eip

References (12)

[Broken Link, Permissions Required] http://community.websense.com/blogs/securitylabs/archive/2014/02/13/msie-0-day-exploit-cve-2014-0322-possibly-targeting-french-aerospace-organization.aspx

[Patch, Vendor Advisory] http://technet.microsoft.com/security/advisory/2934088

[Press/Media Coverage] http://twitter.com/nanoc0re/statuses/434251658344673281

[Exploit, Third Party Advisory, VDB Entry] http://www.exploit-db.com/exploits/32851

[Exploit, Third Party Advisory, VDB Entry] http://www.exploit-db.com/exploits/32904

[Broken Link] http://www.fireeye.com/blog/technical/cyber-exploits/2014/02/new-ie-zero-day-found-in-watering-hole-attack-2.html

[Broken Link] http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html

[Third Party Advisory, US Government Resource] http://www.kb.cert.org/vuls/id/732479

[Broken Link] http://www.osvdb.org/103354

[Patch, Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-012

[Broken Link, Exploit] https://www.dropbox.com/s/pyxjgycmudirbqe/CVE-2014-0322.zip

[Third Party Advisory, US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0322

Scores

CVSS v3 8.8

EPSS 0.9320

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-05-04

VulnCheck KEV 2014-02-14

InTheWild.io 2018-10-12

ENISA EUVD EUVD-2014-0360

CWE

CWE-416

Status published

Products (2)

microsoft/internet_explorer 9

microsoft/internet_explorer 10

Published Feb 14, 2014

KEV Added May 04, 2022

Tracked Since Feb 18, 2026