CVE-2013-3171Code Injection in Microsoft NET Framework

CWE-94Code Injection3 documents3 sources
Severity
9.3CRITICALNVD
EPSS
8.6%
top 7.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Microsoft NET Framework
Timeline
PublishedJul 10
Latest updateMay 14

Description

The serialization functionality in Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 does not properly check the permissions of delegate objects, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application that leverages a partial-trust relationship, aka "Delegate Serialization Vulnerability."

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages1 packages

NVDmicrosoft/net_framework5 versions+4

🔴Vulnerability Details

2
GHSA
GHSA-x6g8-r436-7qmg: The serialization functionality in Microsoft2022-05-14
CVEList
CVE-2013-3171: The serialization functionality in Microsoft2013-07-10
CVE-2013-3171 — Code Injection in Microsoft | cvebase