Cyber Resilience

CVE-2013-3896

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 09 October 2013

Published
09 October 2013
Modified
22 April 2026
KEV Added
25 May 2022
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.8471 99.4th percentile
Risk Priority 82 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2013-3896 is a medium-severity an unspecified weakness vulnerability in Microsoft Silverlight. Its CVSS base score is 5.5 (Medium).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-7 (Least Functionality).

Deeper analysis

Microsoft Silverlight 5 before version 5.1.20913.0 contains an information disclosure vulnerability stemming from improper pointer validation during access to Silverlight elements. The flaw is tracked as CVE-2013-3896 and carries a CVSS 3.1 base score of 5.5, reflecting local attack vector, low complexity, and no privileges required, with the impact limited to high confidentiality loss.

Remote attackers can exploit the issue by supplying a specially crafted Silverlight application that, when rendered by an affected installation, leaks sensitive information from the host system. User interaction is required for successful exploitation, consistent with the need to load the malicious content.

Microsoft addressed the vulnerability in security bulletin MS13-087, and US-CERT alert TA13-288A recommends applying the vendor update to remediate affected Silverlight installations. OVAL definitions are also published to support detection of unpatched systems.

EU & UK References

Vulnerability details

Microsoft Silverlight 5 before 5.1.20913.0 does not properly validate pointers during access to Silverlight elements, which allows remote attackers to obtain sensitive information via a crafted Silverlight application, aka "Silverlight Vulnerability."

CWE(s)
KEV Date Added
25 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
silverlight
5.0 — 5.1.20913.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor security update (MS13-087) that corrects the pointer-validation flaw before exploitation occurs.

SC-18 Mobile Code partial match
prevent

Restricts or authorizes execution of Silverlight mobile code, blocking the crafted application vector that triggers the information disclosure.

prevent

Enforces least functionality by disabling or removing the vulnerable Silverlight component when it is not required, eliminating the attack surface.

References