CVE-2013-1330

2013-09-1114:03:00

CWE-20

[email protected]

web.nvd.nist.gov

107

cve-2013-1330

microsoft

sharepoint

portal server

office web apps

enableviewstatemac

vulnerability

remote code execution

nvd

7.3 High

AI Score

Confidence

Low

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.911 High

EPSS

Percentile

98.8%

JSON

The default configuration of Microsoft SharePoint Portal Server 2003 SP3, SharePoint Server 2007 SP3 and 2010 SP1 and SP2, and Office Web Apps 2010 does not set the EnableViewStateMac attribute, which allows remote attackers to execute arbitrary code by leveraging an unassigned workflow, aka “MAC Disabled Vulnerability.”

CPENameOperatorVersion
microsoft:sharepoint_servicesmicrosoft sharepoint serviceseq3.0
microsoft:sharepoint_foundationmicrosoft sharepoint foundationeq2010
microsoft:sharepoint_servermicrosoft sharepoint servereq2007
microsoft:sharepoint_servermicrosoft sharepoint servereq2010
microsoft:sharepoint_servicesmicrosoft sharepoint serviceseq2.0
microsoft:sharepoint_portal_servermicrosoft sharepoint portal servereq2003
microsoft:office_web_appsmicrosoft office web appseq2010

CPE	Name	Operator	Version
microsoft:sharepoint_services	microsoft sharepoint services	eq	3.0
microsoft:sharepoint_foundation	microsoft sharepoint foundation	eq	2010
microsoft:sharepoint_server	microsoft sharepoint server	eq	2007
microsoft:sharepoint_server	microsoft sharepoint server	eq	2010
microsoft:sharepoint_services	microsoft sharepoint services	eq	2.0
microsoft:sharepoint_portal_server	microsoft sharepoint portal server	eq	2003
microsoft:office_web_apps	microsoft office web apps	eq	2010