CVE-2013-3860 — Improper Input Validation in Microsoft NET Framework

CWE-20 — Improper Input Validation3 documents3 sources
Severity
7.8HIGHNVD
EPSS
63.8%
top 1.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Microsoft NET Framework
Timeline
PublishedOct 9
Latest updateMay 14

Description

Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 does not properly parse a DTD during XML digital-signature validation, which allows remote attackers to cause a denial of service (application crash or hang) via a crafted signed XML document, aka "Entity Expansion Vulnerability."

CVSS vector

AV:N/AC:L/C:N/I:N/A:CExploitability: 10.0 | Impact: 6.9

Affected Packages1 packages

â–¶NVDmicrosoft/net_framework5 versions+4

🔴Vulnerability Details

2
GHSA
GHSA-685c-84g9-3pxv: Microsoft↗2022-05-14
â–¶
CVEList
CVE-2013-3860: Microsoft↗2013-10-09
â–¶
CVE-2013-3860 — Improper Input Validation in Microsoft | cvebase