Back to CVE Browser

CVE-2013-3893

Known Exploited (CISA KEV)HIGH

8.8

CVSS Severity Score

EPSS Score26.3810%

EPSS Percentile96.90th

PublishedSep 18, 2013

Last ModifiedApr 22, 2026

Vulnerability Description

Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.

Affected Platforms (CPE)

📦

Microsoft

Internet Explorer

= 6

📦

Microsoft

Internet Explorer

= 7

📦

Microsoft

Internet Explorer

= 8

📦

Microsoft

Internet Explorer

= 9

📦

Microsoft

Internet Explorer

= 10

📦

Microsoft

Internet Explorer

= 11

📦

Microsoft

Internet Explorer

= 11

References & Advisories

🔗 http://blogs.technet.com/b/srd/archive/2013/09/17/cve-2013-3893-fix-it-workaround-available.aspx

🔗 http://blogs.technet.com/b/srd/archive/2013/10/08/ms13-080-addresses-two-vulnerabilities-under-limited-targeted-attacks.aspx

🔗 http://jvn.jp/en/jp/JVN27443259/index.html

🔗 http://jvndb.jvn.jp/ja/contents/2013/JVNDB-2013-000093.html

🔗 http://packetstormsecurity.com/files/162585/Microsoft-Internet-Explorer-8-SetMouseCapture-Use-After-Free.html

🔗 http://pastebin.com/raw.php?i=Hx1L5gu6

🔗 http://technet.microsoft.com/security/advisory/2887505

🔗 http://www.securityfocus.com/bid/62453

Related Vulnerabilities

CVE-1999-046510.0

Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter.

CVE-1999-034710.0

Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javasc...

CVE-1999-096710.0

Buffer overflow in the HTML library used by Internet Explorer, Outlook Express, and Windows Explorer via the res: local resource p...

CVE-1999-124110.0

Internet Explorer, with a security setting below Medium, allows remote attackers to execute arbitrary commands via a malicious web...