ID CVE-2013-0006
Summary Microsoft XML Core Services (aka MSXML) 3.0, 5.0, and 6.0 does not properly parse XML content, which allows remote attackers to execute arbitrary code via a crafted web page, aka "MSXML Integer Truncation Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:xml_core_services:3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:xml_core_services:4.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:xml_core_services:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:xml_core_services:6.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:xml_core_services:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_7:-:sp1:x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_7:-:sp1:x64:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_8:-:-:x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_8:-:-:x64:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_server_2008:-:sp2:x64:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:r2:-:x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_server_2008:r2:-:x64:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:-:sp2:x64:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:-:sp2:x64:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_rt:-:*:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x86:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x86:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
  • cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*
    cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:xml_core_services:5.0:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:xml_core_services:5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:expression_web:*:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:expression_web:*:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:expression_web:2:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:expression_web:2:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:groove_server:2007:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:groove_server:2007:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:groove_server:2007:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:groove_server:2007:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2007:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2007:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office_compatibility_pack:*:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office_compatibility_pack:*:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:office_compatibility_pack:*:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office_compatibility_pack:*:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sharepoint_server:2007:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sharepoint_server:2007:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:sharepoint_server:2007:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:sharepoint_server:2007:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:word_viewer:*:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:word_viewer:*:*:*:*:*:*:*:*
CVSS
Base: 9.3 (as of 20-11-2020 - 20:15)
Impact:
Exploitability:
CWE CWE-189
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:C/I:C/A:C
msbulletin via4
bulletin_id MS13-002
bulletin_url
date 2013-01-08T00:00:00
impact Remote Code Execution
knowledgebase_id 2756145
knowledgebase_url
severity Critical
title Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution
oval via4
accepted 2014-08-18T04:01:38.008-04:00
class vulnerability
contributors
  • name SecPod Team
    organization SecPod Technologies
  • name Pradeep R B
    organization SecPod Technologies
  • name Pradeep R B
    organization SecPod Technologies
  • name Saurabh Kumar
    organization SecPod Technologies
  • name Maria Mikhno
    organization ALTX-SOFT
definition_extensions
  • comment Microsoft Office 2003 SP3 is installed
    oval oval:org.mitre.oval:def:15626
  • comment Microsoft Office 2007 SP2 is installed
    oval oval:org.mitre.oval:def:15607
  • comment Microsoft Office 2007 SP3 is installed
    oval oval:org.mitre.oval:def:15704
  • comment Microsoft Office SharePoint Server 2007 SP2 is installed
    oval oval:org.mitre.oval:def:15502
  • comment Microsoft Office SharePoint Server 2007 SP3 is installed
    oval oval:org.mitre.oval:def:15537
  • comment Microsoft Expression Web SP1 is installed
    oval oval:org.mitre.oval:def:15420
  • comment Microsoft Expression Web 2 is installed
    oval oval:org.mitre.oval:def:15694
  • comment Microsoft Office Compatibility Pack SP2 is installed
    oval oval:org.mitre.oval:def:15640
  • comment Microsoft Office Compatibility Pack SP3 is installed
    oval oval:org.mitre.oval:def:15035
  • comment Microsoft Word Viewer is installed
    oval oval:org.mitre.oval:def:737
  • comment Microsoft Groove Server 2007 Service Pack 2 is installed
    oval oval:org.mitre.oval:def:16135
  • comment Microsoft Groove Server 2007 Service Pack 3 is installed
    oval oval:org.mitre.oval:def:16203
  • comment Microsoft XML Core Services 5 is installed
    oval oval:org.mitre.oval:def:493
  • comment Microsoft Windows 8 (x64) is installed
    oval oval:org.mitre.oval:def:15571
  • comment Microsoft Windows Server 2012 (64-bit) is installed
    oval oval:org.mitre.oval:def:15585
  • comment Microsoft XML Core Services 3 is installed
    oval oval:org.mitre.oval:def:415
  • comment Microsoft XML Core Services 6 is installed
    oval oval:org.mitre.oval:def:454
  • comment Microsoft Windows 7 x64 Edition is installed
    oval oval:org.mitre.oval:def:5950
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
    oval oval:org.mitre.oval:def:5954
  • comment Microsoft XML Core Services 3 is installed
    oval oval:org.mitre.oval:def:415
  • comment Microsoft XML Core Services 6 is installed
    oval oval:org.mitre.oval:def:454
  • comment Microsoft Windows Server 2008 R2 x64 Edition is installed
    oval oval:org.mitre.oval:def:6438
  • comment Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed
    oval oval:org.mitre.oval:def:5954
  • comment Microsoft Windows 7 x64 Edition is installed
    oval oval:org.mitre.oval:def:5950
  • comment Microsoft XML Core Services 3 is installed
    oval oval:org.mitre.oval:def:415
  • comment Microsoft XML Core Services 6 is installed
    oval oval:org.mitre.oval:def:454
  • comment Microsoft Windows Vista x64 Edition is installed
    oval oval:org.mitre.oval:def:2041
  • comment Microsoft Windows Server 2008 (64-bit) is installed
    oval oval:org.mitre.oval:def:5356
  • comment Microsoft Windows Server 2008 (ia-64) is installed
    oval oval:org.mitre.oval:def:5667
  • comment Microsoft XML Core Services 3 is installed
    oval oval:org.mitre.oval:def:415
  • comment Microsoft XML Core Services 6 is installed
    oval oval:org.mitre.oval:def:454
  • comment Microsoft Windows XP x64 is installed
    oval oval:org.mitre.oval:def:15247
  • comment Microsoft Windows Server 2003 (ia64) Gold is installed
    oval oval:org.mitre.oval:def:396
  • comment Microsoft Windows Server 2003 (x64) is installed
    oval oval:org.mitre.oval:def:730
  • comment Microsoft XML Core Services 3 is installed
    oval oval:org.mitre.oval:def:415
  • comment Microsoft XML Core Services 6 is installed
    oval oval:org.mitre.oval:def:454
description Microsoft XML Core Services (aka MSXML) 3.0, 5.0, and 6.0 does not properly parse XML content, which allows remote attackers to execute arbitrary code via a crafted web page, aka "MSXML Integer Truncation Vulnerability."
family windows
id oval:org.mitre.oval:def:16429
status accepted
submitted 2013-01-09T15:58:28
title MSXML Integer Truncation Vulnerability - MS13-002
version 84
refmap via4
cert TA13-008A
misc https://us-cert.cisa.gov/ics/advisories/icsa-20-315-01
Last major update 20-11-2020 - 20:15
Published 09-01-2013 - 18:09
Last modified 20-11-2020 - 20:15
Back to Top