CVE-2013-3906

CVSS V2 High 9.3 CVSS V3 None
Description
GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.
Overview
  • CVE ID
  • CVE-2013-3906
  • Assigner
  • secure@microsoft.com
  • Vulnerability Status
  • Modified
  • Published Version
  • 2013-11-06T15:55:05
  • Last Modified Date
  • 2018-10-12T22:05:16
Weakness Enumerations
CWE URL
CWE-94 http://cwe.mitre.org/data/definitions/94.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:office:2010:sp1:x64:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:office:2010:sp1:x86:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:office:2010:sp2:x64:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:office:2010:sp2:x86:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:itanium:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x64:*:*:*:*:* 1 OR
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x86:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:lync:2010:*:attendee:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:lync:2010:*:x64:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:lync:2010:*:x86:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:lync:2013:-:x64:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:lync:2013:-:x86:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:lync_basic:2013:-:x64:*:*:*:*:* 1 OR
cpe:2.3:a:microsoft:lync_basic:2013:-:x86:*:*:*:*:* 1 OR
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:M/Au:N/C:C/I:C/A:C
  • Access Vector
  • NETWORK
  • Access Compatibility
  • MEDIUM
  • Authentication
  • NONE
  • Confidentiality Impact
  • COMPLETE
  • Integrity Impact
  • COMPLETE
  • Availability Impact
  • COMPLETE
  • Base Score
  • 9.3
  • Severity
  • HIGH
  • Exploitability Score
  • 8.6
  • Impact Score
  • 10
References
Reference URL Reference Tags
http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2 Exploit
http://technet.microsoft.com/security/advisory/2896666 Patch Vendor Advisory
http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx Exploit
http://www.exploit-db.com/exploits/30011 Exploit
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-096
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2013-3906
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3906
History
Created Old Value New Value Data Type Notes
2022-05-10 18:23:58 Added to TrackCVE
2022-12-01 20:39:05 2013-11-06T15:55Z 2013-11-06T15:55:05 CVE Published Date updated
2022-12-01 20:39:05 2018-10-12T22:05:16 CVE Modified Date updated
2022-12-01 20:39:05 Modified Vulnerability Status updated