CVE-2013-3906

GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:microsoft:excel_viewer:-:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:lync:2010:*:*:*:attendee:*:*:*
cpe:2.3:a:microsoft:lync:2013:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2003:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2007:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_compatibility_pack:-:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:powerpoint_viewer:2010:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:powerpoint_viewer:2010:sp2:*:*:*:*:*:*
cpe:2.3:a:microsoft:word_viewer:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*

History

24 Jul 2024, 16:19

Type Values Removed Values Added
References () http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2 - Exploit () http://blogs.mcafee.com/mcafee-labs/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2 - Broken Link, Exploit
References () http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx - Exploit () http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx - Broken Link, Exploit
References () http://www.exploit-db.com/exploits/30011 - Exploit () http://www.exploit-db.com/exploits/30011 - Exploit, Third Party Advisory, VDB Entry
References () https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-096 - () https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-096 - Patch, Vendor Advisory
CPE cpe:2.3:a:microsoft:lync:2013:-:x86:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp2:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:itanium:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp1:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*
cpe:2.3:a:microsoft:lync:2010:*:attendee:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x64:*:*:*:*:*
cpe:2.3:a:microsoft:lync_basic:2013:-:x64:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x86:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp2:x86:*:*:*:*:*
cpe:2.3:a:microsoft:lync:2013:-:x64:*:*:*:*:*
cpe:2.3:a:microsoft:lync_basic:2013:-:x86:*:*:*:*:*
cpe:2.3:a:microsoft:lync:2010:*:x64:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp1:x86:*:*:*:*:*
cpe:2.3:a:microsoft:lync:2010:*:x86:*:*:*:*:*
cpe:2.3:a:microsoft:lync:2013:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:office:2010:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:powerpoint_viewer:2010:sp1:*:*:*:*:*:*
cpe:2.3:a:microsoft:lync:2010:*:*:*:attendee:*:*:*
cpe:2.3:a:microsoft:office:2010:sp2:*:*:*:*:*:*
cpe:2.3:a:microsoft:office_compatibility_pack:-:sp3:*:*:*:*:*:*
cpe:2.3:a:microsoft:excel_viewer:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
cpe:2.3:a:microsoft:word_viewer:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows_vista:-:sp2:*:*:*:*:*:*
cpe:2.3:a:microsoft:powerpoint_viewer:2010:sp2:*:*:*:*:*:*
CVSS v2 : 9.3
v3 : unknown
v2 : 9.3
v3 : 7.8
First Time Microsoft office Compatibility Pack
Microsoft excel Viewer
Microsoft powerpoint Viewer
Microsoft word Viewer

07 Dec 2023, 18:38

Type Values Removed Values Added
CPE cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*

Information

Published : 2013-11-06 15:55

Updated : 2024-07-24 16:19


NVD link : CVE-2013-3906

Mitre link : CVE-2013-3906

CVE.ORG link : CVE-2013-3906


JSON object : View

Products Affected

microsoft

  • office_compatibility_pack
  • office
  • powerpoint_viewer
  • lync
  • windows_server_2008
  • windows_vista
  • word_viewer
  • excel_viewer
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')