CVE-2018-1004Out-of-bounds Write in Microsoft Internet Explorer 9

CWE-787Out-of-bounds Write10 documents6 sources
Severity
8.8HIGHNVD
EPSS
34.5%
top 3.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
Microsoft Internet Explorer 9Microsoft Windows 10Microsoft Windows 7+8 more
Timeline
PublishedApr 12
Latest updateMay 13

Description

A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Internet Explorer 9, Windows RT 8.1, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages12 packages

CVEListV5microsoft/windows_server_2012(Server Core installation)
CVEListV5microsoft/windows_server_2012_r2(Server Core installation)
CVEListV5microsoft/windows_server_2016(Server Core installation)
CVEListV5microsoft/windows_server_2008_r2Itanium-Based Systems Service Pack 1, x64-based Systems Service Pack 1, x64-based Systems Service Pack 1 (Server Core installation)+2

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

2
GHSA
GHSA-jrwg-jrgf-8pvv: A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code E2022-05-13
CVEList
CVE-2018-1004: A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka "Windows VBScript Engine Remote Code E2018-04-12

💥Exploits & PoCs

1
Exploit-DB
University Application System 1.0 - SQL Injection / Cross-Site Request Forgery (Add Admin)2018-10-30

📋Vendor Advisories

1
Microsoft
Windows VBScript Engine Remote Code Execution Vulnerability2018-04-10
CVE-2018-1004 — Out-of-bounds Write in Microsoft | cvebase