CVE-2010-0483

CVSS V2 High 7.6 CVSS V3 None
Description
vbscript.dll in VBScript 5.1, 5.6, 5.7, and 5.8 in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2, when Internet Explorer is used, allows user-assisted remote attackers to execute arbitrary code by referencing a (1) local pathname, (2) UNC share pathname, or (3) WebDAV server with a crafted .hlp file in the fourth argument (aka helpfile argument) to the MsgBox function, leading to code execution involving winhlp32.exe when the F1 key is pressed, aka "VBScript Help Keypress Vulnerability."
Overview
  • CVE ID
  • CVE-2010-0483
  • Assigner
  • secure@microsoft.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2010-03-03T19:30:00
  • Last Modified Date
  • 2019-02-26T14:04:00
Weakness Enumerations
CWE URL
CWE-94 http://cwe.mitre.org/data/definitions/94.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
AND
cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows_xp:*:sp2:*:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows_xp:-:sp2:x64:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:internet_explorer:6:*:*:*:*:*:*:* 0 OR
cpe:2.3:a:microsoft:internet_explorer:7:*:*:*:*:*:*:* 0 OR
cpe:2.3:a:microsoft:internet_explorer:8:*:*:*:*:*:*:* 0 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:H/Au:N/C:C/I:C/A:C
  • Access Vector
  • NETWORK
  • Access Compatibility
  • HIGH
  • Authentication
  • NONE
  • Confidentiality Impact
  • COMPLETE
  • Integrity Impact
  • COMPLETE
  • Availability Impact
  • COMPLETE
  • Base Score
  • 7.6
  • Severity
  • HIGH
  • Exploitability Score
  • 4.9
  • Impact Score
  • 10
References
Reference URL Reference Tags
http://www.securityfocus.com/bid/38463 Exploit
http://www.kb.cert.org/vuls/id/612021 US Government Resource
http://isec.pl/vulnerabilities10.html Exploit
http://blogs.technet.com/msrc/archive/2010/03/01/security-advisory-981169-released.aspx Vendor Advisory
http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx Vendor Advisory
http://blogs.technet.com/srd/archive/2010/03/01/help-keypress-vulnerability-in-vbscript-enabling-remote-code-execution.aspx Vendor Advisory
http://www.computerworld.com/s/article/9163298/New_zero_day_involves_IE_puts_Windows_XP_users_at_risk
http://securitytracker.com/id?1023668
http://www.microsoft.com/technet/security/advisory/981169.mspx Vendor Advisory
http://secunia.com/advisories/38727 Vendor Advisory
http://www.vupen.com/english/advisories/2010/0485 Vendor Advisory
https://www.metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/ie_winhlp32.rb Exploit
http://www.theregister.co.uk/2010/03/01/ie_code_execution_bug/
http://isec.pl/vulnerabilities/isec-0027-msgbox-helpfile-ie.txt Exploit
http://www.osvdb.org/62632
http://www.us-cert.gov/cas/techalerts/TA10-103A.html US Government Resource
https://exchange.xforce.ibmcloud.com/vulnerabilities/56558
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8654
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7170
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-022
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2010-0483
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0483
History
Created Old Value New Value Data Type Notes
2022-05-10 07:58:00 Added to TrackCVE