⚠ Actively exploited
Added to CISA KEV on 2022-05-25. Federal agencies required to patch by 2022-06-15. Required action: Apply updates per vendor instructions..

CVE-2013-7331Sensitive Information Exposure in Microsoft Internet Explorer

CWE-200Sensitive Information ExposureCWE-209Information Exposure via Error Message10 documents7 sources
Severity
6.5MEDIUMNVD
EPSS
81.8%
top 0.80%
CISA KEV
KEV
Added 2022-05-25
Due 2022-06-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Microsoft Internet Explorer
Timeline
PublishedFeb 26
KEV addedMay 25
KEV dueJun 15
CISA Required Action: Apply updates per vendor instructions.

Description

The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages1 packages

NVDmicrosoft/internet_explorer6 versions+5

Patches

Patch: docs.microsoft.comPatch: docs.microsoft.com

🔴Vulnerability Details

2
GHSA
GHSA-fprc-fr29-2qmp: The Microsoft2022-05-14
VulnCheck
Microsoft Internet Explorer Information Disclosure Vulnerability2013

💥Exploits & PoCs

1
Metasploit
MS14-052 Microsoft Internet Explorer XMLDOM Filename Disclosure

📋Vendor Advisories

1
CISA
Microsoft Internet Explorer Information Disclosure Vulnerability2022-05-25

🕵️Threat Intelligence

5
Talos
Evolution of the Nuclear Exploit Kit2014-10-09
Talos
Evolution of the Nuclear Exploit Kit2014-10-09
Talos
Microsoft Update Tuesday September 2014: another generally light month but with a significant IE bulletin2014-09-09
Talos
Microsoft Update Tuesday September 2014: another generally light month but with a significant IE bulletin2014-09-09
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
CVE-2013-7331 — Sensitive Information Exposure | cvebase