⚠ Actively exploited
Added to CISA KEV on 2022-06-08. Federal agencies required to patch by 2022-06-22. Required action: Apply updates per vendor instructions..

CVE-2013-1331Classic Buffer Overflow in Microsoft Office

CWE-120Classic Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer9 documents7 sources
Severity
7.8HIGHNVD
EPSS
88.9%
top 0.47%
CISA KEV
KEV
Added 2022-06-08
Due 2022-06-22
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Microsoft Office
Timeline
PublishedJun 12
KEV addedJun 8
KEV dueJun 22
CISA Required Action: Apply updates per vendor instructions.

Description

Buffer overflow in Microsoft Office 2003 SP3 and Office 2011 for Mac allows remote attackers to execute arbitrary code via crafted PNG data in an Office document, leading to improper memory allocation, aka "Office Buffer Overflow Vulnerability."

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages1 packages

NVDmicrosoft/office2003, 2011+1

Patches

Patch: docs.microsoft.comPatch: docs.microsoft.com

🔴Vulnerability Details

2
GHSA
GHSA-h8gm-f3pp-ppg9: Buffer overflow in Microsoft Office 2003 SP3 and Office 2011 for Mac allows remote attackers to execute arbitrary code via crafted PNG data in an Offi2022-05-14
VulnCheck
Microsoft Office Buffer Overflow Vulnerability2013

💥Exploits & PoCs

3
Exploit-DB
Seagate BlackArmor NAS sg2000-2000.1331 - Cross-Site Request Forgery2014-01-06
Exploit-DB
Seagate BlackArmor NAS sg2000-2000.1331 - Multiple Persistent Cross-Site Scripting Vulnerabilities2014-01-06
Exploit-DB
Seagate BlackArmor NAS sg2000-2000.1331 - Remote Command Execution2014-01-06

📋Vendor Advisories

1
CISA
Microsoft Office Buffer Overflow Vulnerability2022-06-08

🕵️Threat Intelligence

2
Fortinet
An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability2017-06-04
Zscaler
Zscaler found Multiple Security Vulnerabilities | 06-11-2013
CVE-2013-1331 — Classic Buffer Overflow in Microsoft | cvebase