CVE-2013-1330

The default configuration of Microsoft SharePoint Portal Server 2003 SP3, SharePoint Server 2007 SP3 and 2010 SP1 and SP2, and Office Web Apps 2010 does not set the EnableViewStateMac attribute, which allows remote attackers to execute arbitrary code by leveraging an unassigned workflow, aka "MAC Disabled Vulnerability."

Published: Sep 11, 2013
Updated: Apr 13, 2023
CVE: CVE-2013-1330
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 10
AV:N/AC:L/Au:N/C:C/I:C/A:C

CWEs:

CWE-20

Affected Software
References

Software	From	Fixed in
microsoft / sharepoint_services	3.0	3.0.x
microsoft / sharepoint_foundation	2010-sp2	2010-sp2.x
microsoft / sharepoint_server	2007-sp3	2007-sp3.x
microsoft / sharepoint_server	2010-sp2	2010-sp2.x
microsoft / sharepoint_services	2.0	2.0.x
microsoft / sharepoint_server	2010-sp1	2010-sp1.x
microsoft / sharepoint_portal_server	2003-sp3	2003-sp3.x
microsoft / sharepoint_foundation	2010-sp1	2010-sp1.x
microsoft / office_web_apps	2010-sp1	2010-sp1.x

http://www.us-cert.gov/ncas/alerts/TA13-253A
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-067
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-105
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19040

Vulnerability Database

289,599

CVE-2013-1330