Microsoft Internet Explorer up to 11 HTML Rendering Engine mshtml.dll CDoc::SetMouseCapture location.href resource management
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.0 | $0-$5k | 0.00 |
Summary
A vulnerability identified as very critical has been detected in Microsoft Internet Explorer up to 11. The affected element is the function CDoc::SetMouseCapture in the library mshtml.dll of the component HTML Rendering Engine. The manipulation of the argument location.href with the input ms-help:// leads to resource management.
This vulnerability is listed as CVE-2013-3893. The attack may be initiated remotely. In addition, an exploit is available. This vulnerability has a historic impact because of its background and how it was received.
It is suggested to install a patch to address this issue.
Details
A vulnerability was found in Microsoft Internet Explorer up to 11 (Web Browser). It has been rated as very critical. This issue affects the function CDoc::SetMouseCapture in the library mshtml.dll of the component HTML Rendering Engine. The manipulation of the argument location.href with the input value ms-help:// leads to a resource management vulnerability. Using CWE to declare the problem leads to CWE-399. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
Use-after-free vulnerability in the SetMouseCapture implementation in mshtml.dll in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code via crafted JavaScript strings, as demonstrated by use of an ms-help: URL that triggers loading of hxds.dll.
The issue has been introduced in 03/22/2001. The weakness was presented 09/17/2013 as MS13-080 as confirmed bulletin (Technet). The advisory is shared at technet.microsoft.com. The public release happened without involvement of Microsoft. The identification of this vulnerability is CVE-2013-3893 since 06/03/2013. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details as well as a public exploit are known. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 08/12/2025). It is expected to see the exploit prices for this product decreasing in the near future.Due to its background and reception, this vulnerability has a historic impact.
A public exploit has been developed in Ruby. The exploit is available at community.rapid7.com. It is declared as attacked. The vulnerability was handled as a non-public zero-day exploit for at least 4562 days. During that time the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 69931 (MS KB2887505: Vulnerability in Internet Explorer Could Allow Remote Code Execution), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows. The commercial vulnerability scanner Qualys is able to test this issue with plugin 100164 (Microsoft Internet Explorer Multiple Remote Code Execution Vulnerabilities (MS13-080)). The CISA Known Exploited Vulnerabilities Catalog lists this issue since 08/12/2025 with a due date of 09/02/2025:
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Applying the patch Fix It 51001/51002 is able to eliminate this problem. The bugfix is ready for download at blogs.technet.com. It is possible to mitigate the problem by applying the configuration setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\_settings_\VALUE_FROM_STEP_1\heap_pages / Add 0x12121212. The best possible mitigation is suggested to be patching the affected component. A possible mitigation has been published immediately after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 13197.
The vulnerability is also documented in the databases at Exploit-DB (49872), Zero-Day.cz (43), Tenable (69931), SecurityFocus (BID 62453†) and OSVDB (97380†). krebsonsecurity.com is providing further details. See VDB-10619, VDB-10620, VDB-10621 and VDB-10622 for similar entries. Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Product
Type
Vendor
Name
Version
License
Support
Website
- Vendor: https://www.microsoft.com/
CPE 2.3
CPE 2.2
Screenshot
Video
Youtube: Not available anymoreCVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.3VulDB Meta Temp Score: 6.0
VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Resource managementCWE: CWE-399 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Attacked
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
KEV Added: 🔍
KEV Due: 🔍
KEV Remediation: 🔍
KEV Ransomware: 🔍
KEV Notice: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 69931
Nessus Name: MS KB2887505: Vulnerability in Internet Explorer Could Allow Remote Code Execution
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
OpenVAS ID: 803867
OpenVAS Name: Microsoft Internet Explorer Multiple Memory Corruption Vulnerabilities (2879017)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Saint ID: exploit_info/ie_onlosecapture_event_uaf
Saint Name: Internet Explorer HTML Rendering Engine onLoseCapture Use-After-Free Vulnerability
Qualys ID: 🔍
Qualys Name: 🔍
MetaSploit ID: ie_setmousecapture_uaf.rb
MetaSploit Name: MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free
MetaSploit File: 🔍
Exploit-DB: 🔍
Zero-Day.cz: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Patch: Fix It 51001/51002
Config: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EMET\_settings_\VALUE_FROM_STEP_1\heap_pages / Add 0x12121212
Suricata ID: 2017478
Suricata Class: 🔍
Suricata Message: 🔍
TippingPoint: 🔍
McAfee IPS Version: 🔍
ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍
Timeline
03/22/2001 🔍06/03/2013 🔍
09/17/2013 🔍
09/17/2013 🔍
09/17/2013 🔍
09/17/2013 🔍
09/17/2013 🔍
09/17/2013 🔍
09/18/2013 🔍
09/18/2013 🔍
09/18/2013 🔍
09/19/2013 🔍
08/12/2025 🔍
Sources
Vendor: microsoft.comAdvisory: MS13-080
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2013-3893 (🔍)
GCVE (CVE): GCVE-0-2013-3893
GCVE (VulDB): GCVE-100-10313
OVAL: 🔍
IAVM: 🔍
SecurityFocus: 62453
Secunia: 54884 - Microsoft Internet Explorer Multiple Vulnerabilities, Extremely Critical
OSVDB: 97380 - Microsoft IE HTML Rendering Engine CDoc::SetMouseCapture Function Use-after-free Arbitrary Code Execution
Vulnerability Center: 41541 - [MS13-080] Microsoft Internet Explorer 6-11 on Workstations Remote Code Execution Vulnerability - CVE-2013-3893, Critical
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍
Entry
Created: 09/19/2013 12:50Updated: 08/12/2025 22:17
Changes: 09/19/2013 12:50 (69), 04/07/2017 12:04 (44), 05/25/2021 08:04 (8), 05/25/2021 08:10 (2), 05/25/2021 08:11 (1), 06/19/2024 06:04 (15), 07/13/2024 20:05 (4), 06/07/2025 13:59 (1), 08/12/2025 17:49 (1), 08/12/2025 22:17 (9)
Complete: 🔍
Cache ID: 216:4DF:103
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
No comments yet. Languages: en.
Please log in to comment.