Vulnerability Description
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Microsoft | Internet Explorer | 6 |
| Microsoft | Windows Server 2003 | - |
| Microsoft | Windows Server 2008 | - |
| Microsoft | Windows Vista | - |
| Microsoft | Windows 7 | - |
| Microsoft | Windows 8 | - |
| Microsoft | Windows Rt | - |
| Microsoft | Windows Server 2012 | - |
| Microsoft | Windows 8.1 | - |
| Microsoft | Windows Rt 8.1 | - |
Related Weaknesses (CWE)
References
- http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-acThird Party Advisory
- http://www.kb.cert.org/vuls/id/539289Third Party AdvisoryUS Government Resource
- http://www.securitytracker.com/id/1030818Third Party AdvisoryVDB Entry
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-05PatchVendor Advisory
- https://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-iExploit
- http://www.fireeye.com/blog/uncategorized/2014/02/operation-snowman-deputydog-acThird Party Advisory
- http://www.kb.cert.org/vuls/id/539289Third Party AdvisoryUS Government Resource
- http://www.securitytracker.com/id/1030818Third Party AdvisoryVDB Entry
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-05PatchVendor Advisory
- https://soroush.secproject.com/blog/2013/04/microsoft-xmldom-in-ie-can-divulge-iExploit
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-US Government Resource
FAQ
What is CVE-2013-7331?
CVE-2013-7331 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet I...
How severe is CVE-2013-7331?
CVE-2013-7331 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-7331?
Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Internet Explorer, Microsoft Windows Server 2003, Microsoft Windows Server 2008, Microsoft Windows Vista, Microsoft Windows 7.