CVE-2013-3897
CVE-2013-3897
In short
Internet Explorer has a bug where it tries to use memory that has already been freed, allowing attackers to run malicious code or crash the browser through specially crafted JavaScript. This vulnerability was actively exploited in real-world attacks in 2013.
Technical detail
Use-after-free vulnerability in mshtml.dll's CDisplayPointer class exploitable via crafted JavaScript leveraging the onpropertychange event handler; affects IE 6–11 and enables arbitrary code execution or denial of service through memory corruption without requiring user interaction beyond visiting a malicious webpage.
Summary generated and translated by AI from the official description.
Use-after-free vulnerability in the CDisplayPointer class in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted JavaScript code that uses the onpropertychange event handler, as exploited in the wild in September and October 2013, aka "Internet Explorer Memory Corruption Vulnerability."
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected products
n/a · n/apublic PoCs found — 1
exploitdbwww.exploit-db.com/exploits/28974unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspxhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-080https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18989https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3897http://www.us-cert.gov/ncas/alerts/TA13-288A