CVE-2010-3190 - Vulnerability Details

Description

Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; Visual C++ 2005 SP1, 2008 SP1, and 2010; and Exchange Server 2010 Service Pack 3, 2013, and 2013 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability."

Published: 2010-08-31

Score: 7.8 High

EPSS: 46.7% Moderate

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

cpe:2.3:a:apple:itunes:12.1.3:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:microsoft:visual_c\+\+:2005:sp1:::redistributable_package:::*
	cpe:2.3:a:microsoft:visual_c\+\+:2008:sp1:::redistributable_package:::*
	cpe:2.3:a:microsoft:visual_c\+\+:2010:sp1:::redistributable_package:::*
	cpe:2.3:a:microsoft:visual_studio:2005:sp1::::::
	cpe:2.3:a:microsoft:visual_studio:2008:sp1::::::
	cpe:2.3:a:microsoft:visual_studio:2010:-::::::
	cpe:2.3:a:microsoft:visual_studio_.net:2003:sp1::::::

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.46742.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
http://lists.apple.com/archives/security-announce/2015/Sep/msg00003.html
http://secunia.com/advisories/41212
http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
http://www.securityfocus.com/bid/42811
http://www.us-cert.gov/cas/techalerts/TA11-102A.html
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-025
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12457
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2010-3190
https://support.apple.com/HT205221

History

Thu, 28 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Apple Itunes

Microsoft Visual C\+\+ Visual Studio Visual Studio .net

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2010-08-31T19:25:00.000Z

Updated: 2026-05-28T18:28:46.313Z

Reserved: 2010-08-31T00:00:00.000Z

Link: CVE-2010-3190

Vulnrichment

Updated: 2024-08-07T03:03:18.775Z

NVD

Status : Modified

Published: 2010-08-31T20:00:02.297

Modified: 2026-05-28T19:16:23.390

Link: CVE-2010-3190

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-426

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object