CVE-2020-1380

HIGH
2020-08-17 [email protected]
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 26, 2026 - 11:19 vuln.today
Added to CISA KEV
Feb 23, 2026 - 20:30 cisa
CISA KEV
Patch Released
Feb 23, 2026 - 20:30 nvd
Patch available
CVE Published
Aug 17, 2020 - 19:15 nvd
HIGH 7.8

Description

A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability. The security update addresses the vulnerability by modifying how the scripting engine handles objects in memory.

Analysis

Internet Explorer scripting engine contains a remote code execution vulnerability through memory corruption when handling objects, exploited as a zero-day in August 2020 before patch availability.

Technical Context

The CWE-787 out-of-bounds write in the JScript9 engine occurs when processing crafted JavaScript that manipulates object properties in a specific pattern. The memory corruption allows arbitrary code execution in the IE renderer process.

Affected Products

['Microsoft Internet Explorer (JScript9 engine)', 'All Windows versions running IE']

Remediation

Migrate to Edge or other modern browsers. Apply Microsoft security update. IE reached end-of-life in June 2022.

Priority Score

191
Low Medium High Critical
KEV: +50
EPSS: +91.7
CVSS: +39
POC: 0

Share

CVE-2020-1380 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy