CVSS: 9.3EPSS: 77%CPEs: 8EXPL: 2CVE-2014-0257 – Microsoft .NET Deployment Service - IE Sandbox Escape (MS14-009)
https://notcve.org/view.php?id=CVE-2014-0257
Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, and 4.5.1 does not properly determine whether it is safe to execute a method, which allows remote attackers to execute arbitrary code via (1) a crafted web site or (2) a crafted .NET Framework application that exposes a COM server endpoint, aka "Type Traversal Vulnerability." Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5 y 4.5.1 no determina adecuadamente si es seguro ejecutar un método, lo que permite a atacantes remotos ejecutar código arbitrario a través de (1) un sitio web manipulado o (2) una aplicación .NET Framework manipulada que expone un servidor COM, también conocido como "Type Traversal Vulnerability." • https://www.exploit-db.com/exploits/33892 http://packetstormsecurity.com/files/127246/MS14-009-.NET-Deployment-Service-IE-Sandbox-Escape.html http://secunia.com/advisories/56793 http://www.exploit-db.com/exploits/33892 http://www.osvdb.org/103163 http://www.securityfocus.com/bid/65417 http://www.securitytracker.com/id/1029745 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-009 https://github.com/tyranid/IE11SandboxEscapes • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 80%CPEs: 48EXPL: 0CVE-2013-3128 – Microsoft Windows OpenType Font Parsing Persistent Denial-of-Service Vulnerability
https://notcve.org/view.php?id=CVE-2013-3128
The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT, and .NET Framework 3.0 SP2, 3.5, 3.5.1, 4, and 4.5, allow remote attackers to execute arbitrary code via a crafted OpenType font (OTF) file, aka "OpenType Font Parsing Vulnerability." Los drivers kernel-mode en Microsoft Windows XP SP2 y SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 y R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, y Windows RT, y .NET Framework 3.0 SP2, 3.5, 3.5.1, 4, y 4.5, permite a atacantes remotos ejecutar código arbitrario a través de un archivo de fuente OpenType (OTF), también conocido como "Vulnerabilidad de parseo de fuentes OpenType". This vulnerability allows remote attackers to causes a persistent Denial-of-Service on machines running vulnerable versions of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must open a vulnerable font. The specific flaw exists within the handling of OpenType Fonts in the Windows Kernel. The machine will immediately crash and be unable to restart if a user attempts to use the malicious font. • http://www.us-cert.gov/ncas/alerts/TA13-288A https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-081 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-082 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18847 •
CVSS: 7.8EPSS: 30%CPEs: 6EXPL: 0CVE-2013-3860
https://notcve.org/view.php?id=CVE-2013-3860
Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 does not properly parse a DTD during XML digital-signature validation, which allows remote attackers to cause a denial of service (application crash or hang) via a crafted signed XML document, aka "Entity Expansion Vulnerability." Microsoft. NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4 y 4.5 no analiza adecuadamente una DTD durante la validación de firmas digitales XML, lo que permite a atacantes remotos provocar una denegación de servicio (caída de la aplicación o bloqueo) a través un documento XML firmado manipulado, también conocido como "Entity Expansion Vulnerability." • http://www.us-cert.gov/ncas/alerts/TA13-288A https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-082 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18517 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 62%CPEs: 6EXPL: 0CVE-2013-3861
https://notcve.org/view.php?id=CVE-2013-3861
Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, and 4.5 allows remote attackers to cause a denial of service (application crash or hang) via crafted character sequences in JSON data, aka "JSON Parsing Vulnerability." Microsoft .NET Framework 2.0 SP2, 3.5, 3.5 SP1, 3.5.1, 4, y 4.5 permite a atacantes remotos provocar una denegación de servicio (caída de la aplicación o cuelgue) a través de una secuencia de caracteres manipulados en datos JSON, también conocido como "Vulnerabilidad JSON Parsing." • http://www.us-cert.gov/ncas/alerts/TA13-288A https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-082 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18842 • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 43%CPEs: 7EXPL: 0CVE-2013-3132
https://notcve.org/view.php?id=CVE-2013-3132
Microsoft .NET Framework 1.0 SP3, 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, and 4.5 does not properly check the permissions of objects that use reflection, which allows remote attackers to execute arbitrary code via (1) a crafted XAML browser application (XBAP) or (2) a crafted .NET Framework application, aka "Delegate Reflection Bypass Vulnerability." Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4, y 4.5, no valida adecuadamente los permisos de los objetos que usan el reflejo (reflection), lo que permite a atacantes remotos ejecutar código de su elección a través de (1) una aplicación manipulada para navegadores XAML (XBAP) o (2)una aplicación .NET Framework. Aka "Delegate Reflection Bypass Vulnerability." • http://www.us-cert.gov/ncas/alerts/TA13-190A https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-052 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17430 • CWE-94: Improper Control of Generation of Code ('Code Injection') •