CVE-2013-3163 : Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service

Microsoft Internet Explorer 8 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3144 and CVE-2013-3151.

Published 2013-07-10 03:46:11

Updated 2018-10-12 22:04:42

Source Microsoft Corporation

View at NVD, CVE.org

Vulnerability category: Memory CorruptionExecute codeDenial of service

CVE-2013-3163 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Microsoft Internet Explorer Memory Corruption Vulnerability

CISA required action:

The impacted product is end-of-life and should be disconnected if still in use.

CISA description:

Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code or cause a denial of service via a crafted website.

Notes:

https://learn.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-055

Added on 2023-03-30 Action due date 2023-04-20

Exploit prediction scoring system (EPSS) score for CVE-2013-3163

Probability of exploitation activity in the next 30 days: 96.39%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 100 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2013-3163

MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free

Disclosure Date: 2013-07-09

First seen: 2020-04-26

exploit/windows/browser/ms13_055_canchor

In IE8 standards mode, it's possible to cause a use-after-free condition by first creating an illogical table tree, where a CPhraseElement comes after CTableRow, with the final node being a sub table element. When the CPhraseElement's outer content is reset by using

More information

CVSS scores for CVE-2013-3163

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.3	HIGH	AV:N/AC:M/Au:N/C:C/I:C/A:C	8.6	10.0	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2013-3163

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2013-3163

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17363

Repository / Oval Repository
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-055

Microsoft Security Bulletin MS13-055 - Critical | Microsoft Docs

CVEs referencing this url
http://www.us-cert.gov/ncas/alerts/TA13-190A

Microsoft Updates for Multiple Vulnerabilities | CISA
Third Party Advisory;US Government Resource

CVEs referencing this url

Products affected by CVE-2013-3163

Microsoft » Internet Explorer » Version: 8
cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:*
Matching versions
Microsoft » Internet Explorer » Version: 9
cpe:2.3:a:microsoft:internet_explorer:9:*:*:*:*:*:*:*
Matching versions
Microsoft » Internet Explorer » Version: 10
cpe:2.3:a:microsoft:internet_explorer:10:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2013-3163