Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2020-AVI-564
Vulnerability from certfr_avis - Published: 2020-09-09 - Updated: 2020-09-09
De multiples vulnérabilités ont été corrigées dans les produits Microsoft. Elles permettent à un attaquant de provoquer une usurpation d'identité, une atteinte à la confidentialité des données, une élévation de privilèges, une exécution de code à distance et un contournement de la fonctionnalité de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Microsoft | N/A | Microsoft Exchange Server 2016 Cumulative Update 16 | ||
| Microsoft | N/A | Microsoft Exchange Server 2019 Cumulative Update 5 | ||
| Microsoft | N/A | ChakraCore | ||
| Microsoft | N/A | Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) | ||
| Microsoft | N/A | Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6) | ||
| Microsoft | N/A | SQL Server 2017 Reporting Services | ||
| Microsoft | N/A | Dynamics 365 pour Finance and Operations | ||
| Microsoft | N/A | Microsoft Business Productivity Servers 2010 Service Pack 2 | ||
| Microsoft | N/A | Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) | ||
| Microsoft | N/A | Microsoft Visual Studio 2019 version 16.0 | ||
| Microsoft | N/A | SQL Server 2019 Reporting Services | ||
| Microsoft | N/A | Visual Studio Code | ||
| Microsoft | N/A | Microsoft Visual Studio 2013 Update 5 | ||
| Microsoft | N/A | Microsoft 365 Apps pour Enterprise pour systèmes 32 bits | ||
| Microsoft | N/A | Microsoft 365 Apps pour Enterprise pour 64 bits Systems | ||
| Microsoft | N/A | Microsoft Exchange Server 2019 Cumulative Update 6 | ||
| Microsoft | N/A | Microsoft Visual Studio 2015 Update 3 | ||
| Microsoft | N/A | xamarin.forms | ||
| Microsoft | N/A | Microsoft Dynamics 365 (on-premises) version 9.0 | ||
| Microsoft | N/A | Microsoft Dynamics 365 (on-premises) version 8.2 | ||
| Microsoft | N/A | Microsoft Visual Studio 2012 Update 5 | ||
| Microsoft | N/A | Microsoft Exchange Server 2016 Cumulative Update 17 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Microsoft Exchange Server 2016 Cumulative Update 16",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Exchange Server 2019 Cumulative Update 5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "ChakraCore",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6)",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "SQL Server 2017 Reporting Services",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Dynamics 365 pour Finance and Operations",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Business Productivity Servers 2010 Service Pack 2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2019 version 16.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "SQL Server 2019 Reporting Services",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Visual Studio Code",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2013 Update 5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft 365 Apps pour Enterprise pour syst\u00e8mes 32 bits",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft 365 Apps pour Enterprise pour 64 bits Systems",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Exchange Server 2019 Cumulative Update 6",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2015 Update 3",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "xamarin.forms",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Dynamics 365 (on-premises) version 9.0",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Dynamics 365 (on-premises) version 8.2",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Visual Studio 2012 Update 5",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
},
{
"description": "Microsoft Exchange Server 2016 Cumulative Update 17",
"product": {
"name": "N/A",
"vendor": {
"name": "Microsoft",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2020-16861",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16861"
},
{
"name": "CVE-2020-16860",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16860"
},
{
"name": "CVE-2020-16862",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16862"
},
{
"name": "CVE-2020-16872",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16872"
},
{
"name": "CVE-2020-1172",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1172"
},
{
"name": "CVE-2020-1332",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1332"
},
{
"name": "CVE-2020-16875",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16875"
},
{
"name": "CVE-2020-1218",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1218"
},
{
"name": "CVE-2020-1338",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1338"
},
{
"name": "CVE-2020-16856",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16856"
},
{
"name": "CVE-2020-1180",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1180"
},
{
"name": "CVE-2020-1057",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1057"
},
{
"name": "CVE-2020-0878",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-0878"
},
{
"name": "CVE-2020-1210",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1210"
},
{
"name": "CVE-2020-16881",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16881"
},
{
"name": "CVE-2020-1224",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1224"
},
{
"name": "CVE-2020-16859",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16859"
},
{
"name": "CVE-2020-1130",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1130"
},
{
"name": "CVE-2020-1044",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1044"
},
{
"name": "CVE-2020-1193",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1193"
},
{
"name": "CVE-2020-1594",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1594"
},
{
"name": "CVE-2020-1133",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1133"
},
{
"name": "CVE-2020-16864",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16864"
},
{
"name": "CVE-2020-16878",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16878"
},
{
"name": "CVE-2020-16873",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16873"
},
{
"name": "CVE-2020-1335",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1335"
},
{
"name": "CVE-2020-16871",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16871"
},
{
"name": "CVE-2020-16857",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16857"
},
{
"name": "CVE-2020-16874",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16874"
},
{
"name": "CVE-2020-16858",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-16858"
}
],
"initial_release_date": "2020-09-09T00:00:00",
"last_revision_date": "2020-09-09T00:00:00",
"links": [],
"reference": "CERTFR-2020-AVI-564",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2020-09-09T00:00:00.000000"
}
],
"risks": [
{
"description": "Usurpation d\u0027identit\u00e9"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Contournement de la fonctionnalit\u00e9 de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 corrig\u00e9es dans \u003cspan\nclass=\"textit\"\u003eles produits Microsoft\u003c/span\u003e. Elles permettent \u00e0 un\nattaquant de provoquer une usurpation d\u0027identit\u00e9, une atteinte \u00e0 la\nconfidentialit\u00e9 des donn\u00e9es, une \u00e9l\u00e9vation de privil\u00e8ges, une ex\u00e9cution\nde code \u00e0 distance et un contournement de la fonctionnalit\u00e9 de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Microsoft",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Microsoft du 08 septembre 2020",
"url": "https://portal.msrc.microsoft.com/fr-FR/security-guidance"
}
]
}
CVE-2020-1224 (GCVE-0-2020-1224)
Vulnerability from cvelistv5 – Published: 2020-09-11 17:09 – Updated: 2024-08-04 06:31
VLAI
EPSS
Title
Microsoft Excel Information Disclosure Vulnerability
Summary
<p>An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user’s computer or data.</p>
<p>To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created.</p>
<p>The update addresses the vulnerability by changing the way certain Excel functions handle objects in memory.</p>
Severity
CWE
- Information Disclosure
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://portal.msrc.microsoft.com/en-US/security-… | x_refsource_MISC |
Impacted products
10 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft SharePoint Enterprise Server 2013 Service Pack 1 |
Affected:
15.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:sharepoint_server:2013:sp1:*:*:enterprise:*:*:* |
|
| Microsoft | Microsoft Office 2019 |
Affected:
19.0.0 , < https://aka.ms/OfficeSecurityReleases
(custom)
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft Office 2019 for Mac |
Affected:
16.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:* |
|
| Microsoft | Microsoft Office Online Server |
Affected:
16.0.1 , < publication
(custom)
cpe:2.3:a:microsoft:office_online_server:-:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft 365 Apps for Enterprise |
Affected:
16.0.1 , < https://aka.ms/OfficeSecurityReleases
(custom)
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:* |
|
| Microsoft | Microsoft Excel 2016 |
Affected:
16.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:* cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:* |
|
| Microsoft | Microsoft Office 2016 for Mac |
Affected:
16.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:office:2016:*:*:*:*:mac_os:*:* |
|
| Microsoft | Microsoft Excel 2010 Service Pack 2 |
Affected:
13.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:*:* |
|
| Microsoft | Microsoft Excel 2013 Service Pack 1 |
Affected:
15.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:* cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x86:* cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x64:* |
|
| Microsoft | Microsoft Office Web Apps 2013 Service Pack 1 |
Affected:
15.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:office_web_apps:2013:sp1:*:*:*:*:*:* |
Date Public
2020-09-08 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:31:59.956Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1224"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:sharepoint_server:2013:sp1:*:*:enterprise:*:*:*"
],
"platforms": [
"x64-based Systems"
],
"product": "Microsoft SharePoint Enterprise Server 2013 Service Pack 1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Office 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "19.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Office 2019 for Mac",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office_online_server:-:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Office Online Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.1",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft 365 Apps for Enterprise",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "16.0.1",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*",
"cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2016",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office:2016:*:*:*:*:mac_os:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Office 2016 for Mac",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2010 Service Pack 2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "13.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:*",
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x86:*",
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x64:*"
],
"platforms": [
"ARM64-based Systems",
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2013 Service Pack 1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office_web_apps:2013:sp1:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Office Web Apps 2013 Service Pack 1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "\u003cp\u003eAn information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user\u2019s computer or data.\u003c/p\u003e\n\u003cp\u003eTo exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created.\u003c/p\u003e\n\u003cp\u003eThe update addresses the vulnerability by changing the way certain Excel functions handle objects in memory.\u003c/p\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Information Disclosure",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T21:34:51.332Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1224"
}
],
"title": "Microsoft Excel Information Disclosure Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-1224",
"datePublished": "2020-09-11T17:09:08.000Z",
"dateReserved": "2019-11-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T06:31:59.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1332 (GCVE-0-2020-1332)
Vulnerability from cvelistv5 – Published: 2020-09-11 17:09 – Updated: 2024-08-04 06:32
VLAI
EPSS
Title
Microsoft Excel Remote Code Execution Vulnerability
Summary
<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p>
<p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p>
<p>The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.</p>
Severity
CWE
- Remote Code Execution
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://portal.msrc.microsoft.com/en-US/security-… | x_refsource_MISC |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft Office 2019 |
Affected:
19.0.0 , < https://aka.ms/OfficeSecurityReleases
(custom)
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft 365 Apps for Enterprise |
Affected:
16.0.1 , < https://aka.ms/OfficeSecurityReleases
(custom)
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:* |
|
| Microsoft | Microsoft Excel 2016 |
Affected:
16.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:* cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:* |
|
| Microsoft | Microsoft Excel 2010 Service Pack 2 |
Affected:
13.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:*:* |
|
| Microsoft | Microsoft Excel 2013 Service Pack 1 |
Affected:
15.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:* cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x86:* cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x64:* |
Date Public
2020-09-08 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:32:00.776Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1332"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Office 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "19.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft 365 Apps for Enterprise",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "16.0.1",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*",
"cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2016",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2010 Service Pack 2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "13.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:*",
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x86:*",
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x64:*"
],
"platforms": [
"ARM64-based Systems",
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2013 Service Pack 1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "\u003cp\u003eA remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\u003c/p\u003e\n\u003cp\u003eExploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\u003c/p\u003e\n\u003cp\u003eThe security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.\u003c/p\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T21:34:57.022Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1332"
}
],
"title": "Microsoft Excel Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-1332",
"datePublished": "2020-09-11T17:09:14.000Z",
"dateReserved": "2019-11-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T06:32:00.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1335 (GCVE-0-2020-1335)
Vulnerability from cvelistv5 – Published: 2020-09-11 17:09 – Updated: 2024-08-04 06:32
VLAI
EPSS
Title
Microsoft Excel Remote Code Execution Vulnerability
Summary
<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p>
<p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p>
<p>The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.</p>
Severity
CWE
- Remote Code Execution
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://portal.msrc.microsoft.com/en-US/security-… | x_refsource_MISC |
Impacted products
11 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft SharePoint Server 2019 |
Affected:
16.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft Office 2019 |
Affected:
19.0.0 , < https://aka.ms/OfficeSecurityReleases
(custom)
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft Office Online Server |
Affected:
16.0.1 , < publication
(custom)
cpe:2.3:a:microsoft:office_online_server:-:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft 365 Apps for Enterprise |
Affected:
16.0.1 , < https://aka.ms/OfficeSecurityReleases
(custom)
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:* |
|
| Microsoft | Microsoft Excel 2016 |
Affected:
16.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:* cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:* |
|
| Microsoft | Microsoft Office 2016 |
Affected:
16.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:* cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:* |
|
| Microsoft | Microsoft Excel 2010 Service Pack 2 |
Affected:
13.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:*:* |
|
| Microsoft | Microsoft Excel 2013 Service Pack 1 |
Affected:
15.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:* cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x86:* cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x64:* |
|
| Microsoft | Microsoft Office 2010 Service Pack 2 |
Affected:
13.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:*:* |
|
| Microsoft | Microsoft Office 2013 Service Pack 1 |
Affected:
15.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:office:2013:sp1:*:*:rt:*:*:* cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:x86:* cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:x64:* |
|
| Microsoft | Microsoft Office Web Apps 2013 Service Pack 1 |
Affected:
15.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:office_web_apps:2013:sp1:*:*:*:*:*:* |
Date Public
2020-09-08 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:32:01.210Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1335"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*"
],
"platforms": [
"x64-based Systems"
],
"product": "Microsoft SharePoint Server 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Office 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "19.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office_online_server:-:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Office Online Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.1",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft 365 Apps for Enterprise",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "16.0.1",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*",
"cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2016",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x86:*",
"cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:x64:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Office 2016",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2010 Service Pack 2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "13.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:*",
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x86:*",
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x64:*"
],
"platforms": [
"ARM64-based Systems",
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2013 Service Pack 1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Office 2010 Service Pack 2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "13.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office:2013:sp1:*:*:rt:*:*:*",
"cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:x86:*",
"cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:x64:*"
],
"platforms": [
"ARM64-based Systems",
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Office 2013 Service Pack 1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office_web_apps:2013:sp1:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Office Web Apps 2013 Service Pack 1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "\u003cp\u003eA remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\u003c/p\u003e\n\u003cp\u003eExploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\u003c/p\u003e\n\u003cp\u003eThe security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.\u003c/p\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T21:34:57.530Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1335"
}
],
"title": "Microsoft Excel Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-1335",
"datePublished": "2020-09-11T17:09:14.000Z",
"dateReserved": "2019-11-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T06:32:01.210Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1338 (GCVE-0-2020-1338)
Vulnerability from cvelistv5 – Published: 2020-09-11 17:09 – Updated: 2024-08-04 06:32
VLAI
EPSS
Title
Microsoft Word Remote Code Execution Vulnerability
Summary
<p>A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.</p>
<p>To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Word software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.</p>
<p>The security update addresses the vulnerability by correcting how Microsoft Word handles files in memory.</p>
Severity
CWE
- Remote Code Execution
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://portal.msrc.microsoft.com/en-US/security-… | x_refsource_MISC |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft SharePoint Server 2019 |
Affected:
16.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft Office 2019 |
Affected:
19.0.0 , < https://aka.ms/OfficeSecurityReleases
(custom)
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft Office 2019 for Mac |
Affected:
16.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:* |
|
| Microsoft | Microsoft Office Online Server |
Affected:
16.0.1 , < publication
(custom)
cpe:2.3:a:microsoft:office_online_server:-:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft 365 Apps for Enterprise |
Affected:
16.0.1 , < https://aka.ms/OfficeSecurityReleases
(custom)
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:* |
|
| Microsoft | Microsoft Office 2016 for Mac |
Affected:
16.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:office:2016:*:*:*:*:mac_os:*:* |
Date Public
2020-09-08 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:32:01.240Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1338"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:sharepoint_server:2019:*:*:*:*:*:*:*"
],
"platforms": [
"x64-based Systems"
],
"product": "Microsoft SharePoint Server 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Office 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "19.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office:2019:*:*:*:*:macos:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Office 2019 for Mac",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office_online_server:-:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Office Online Server",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.1",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft 365 Apps for Enterprise",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "16.0.1",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:office:2016:*:*:*:*:mac_os:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Office 2016 for Mac",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "\u003cp\u003eA remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.\u003c/p\u003e\n\u003cp\u003eTo exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Word software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.\u003c/p\u003e\n\u003cp\u003eThe security update addresses the vulnerability by correcting how Microsoft Word handles files in memory.\u003c/p\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T21:34:58.046Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1338"
}
],
"title": "Microsoft Word Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-1338",
"datePublished": "2020-09-11T17:09:15.000Z",
"dateReserved": "2019-11-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T06:32:01.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-1594 (GCVE-0-2020-1594)
Vulnerability from cvelistv5 – Published: 2020-09-11 17:09 – Updated: 2024-08-04 06:39
VLAI
EPSS
Title
Microsoft Excel Remote Code Execution Vulnerability
Summary
<p>A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p>
<p>Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.</p>
<p>The security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.</p>
Severity
CWE
- Remote Code Execution
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://portal.msrc.microsoft.com/en-US/security-… | x_refsource_MISC |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft Office 2019 |
Affected:
19.0.0 , < https://aka.ms/OfficeSecurityReleases
(custom)
cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft 365 Apps for Enterprise |
Affected:
16.0.1 , < https://aka.ms/OfficeSecurityReleases
(custom)
cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:* |
|
| Microsoft | Microsoft Excel 2016 |
Affected:
16.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:* cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:* |
|
| Microsoft | Microsoft Excel 2010 Service Pack 2 |
Affected:
13.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:*:* |
|
| Microsoft | Microsoft Excel 2013 Service Pack 1 |
Affected:
15.0.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:* cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x86:* cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x64:* |
Date Public
2020-09-08 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T06:39:10.591Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1594"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Office 2019",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "19.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:365_apps:-:*:*:*:enterprise:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft 365 Apps for Enterprise",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "https://aka.ms/OfficeSecurityReleases",
"status": "affected",
"version": "16.0.1",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x86:*",
"cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:x64:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2016",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:*:*"
],
"platforms": [
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2010 Service Pack 2",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "13.0.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:*",
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x86:*",
"cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:x64:*"
],
"platforms": [
"ARM64-based Systems",
"32-bit Systems",
"x64-based Systems"
],
"product": "Microsoft Excel 2013 Service Pack 1",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.0.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "\u003cp\u003eA remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\u003c/p\u003e\n\u003cp\u003eExploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Excel. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.\u003c/p\u003e\n\u003cp\u003eThe security update addresses the vulnerability by correcting how Microsoft Excel handles objects in memory.\u003c/p\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T21:35:00.793Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1594"
}
],
"title": "Microsoft Excel Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-1594",
"datePublished": "2020-09-11T17:09:26.000Z",
"dateReserved": "2019-11-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T06:39:10.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16856 (GCVE-0-2020-16856)
Vulnerability from cvelistv5 – Published: 2020-09-11 17:08 – Updated: 2024-08-04 13:45
VLAI
EPSS
Title
Visual Studio Remote Code Execution Vulnerability
Summary
<p>A remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.</p>
<p>To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file with an affected version of Visual Studio.</p>
<p>The update addresses the vulnerability by correcting how Visual Studio handles objects in memory.</p>
Severity
CWE
- Remote Code Execution
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://portal.msrc.microsoft.com/en-US/security-… | x_refsource_MISC |
Impacted products
7 products
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6) |
Affected:
16.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) |
Affected:
15.9.0 , < publication
(custom)
cpe:2.3:a:microsoft:visual_studio_2017:*:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft Visual Studio 2019 version 16.0 |
Affected:
16.0 , < publication
(custom)
cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3) |
Affected:
16.0 , < publication
(custom)
cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:* |
|
| Microsoft | Microsoft Visual Studio 2012 Update 5 |
Affected:
11.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:visual_studio:2012:update_5:*:*:*:*:*:* |
|
| Microsoft | Microsoft Visual Studio 2013 Update 5 |
Affected:
12.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:visual_studio:2013:update_5:*:*:*:*:*:* |
|
| Microsoft | Microsoft Visual Studio 2015 Update 3 |
Affected:
14.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:visual_studio:2015:update3:*:*:*:*:*:* |
Date Public
2020-09-08 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:45:34.276Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16856"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Visual Studio 2019 version 16.7 (includes 16.0 \u2013 16.6)",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:visual_studio_2017:*:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "15.9.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Visual Studio 2019 version 16.0",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "16.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:visual_studio:2012:update_5:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Visual Studio 2012 Update 5",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:visual_studio:2013:update_5:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Visual Studio 2013 Update 5",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "12.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:microsoft:visual_studio:2015:update3:*:*:*:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Visual Studio 2015 Update 3",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "14.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "\u003cp\u003eA remote code execution vulnerability exists in Visual Studio when it improperly handles objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.\u003c/p\u003e\n\u003cp\u003eTo exploit the vulnerability, an attacker would have to convince a user to open a specially crafted file with an affected version of Visual Studio.\u003c/p\u003e\n\u003cp\u003eThe update addresses the vulnerability by correcting how Visual Studio handles objects in memory.\u003c/p\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T21:34:01.879Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16856"
}
],
"title": "Visual Studio Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-16856",
"datePublished": "2020-09-11T17:08:40.000Z",
"dateReserved": "2020-08-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:45:34.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16857 (GCVE-0-2020-16857)
Vulnerability from cvelistv5 – Published: 2020-09-11 17:08 – Updated: 2024-08-04 13:45
VLAI
EPSS
Title
Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability
Summary
<p>A remote code execution vulnerability exists in Microsoft Dynamics 365 for Finance and Operations (on-premises) version 10.0.11. An attacker who successfully exploited this vulnerability could gain remote code execution via server-side script execution on the victim server.</p>
<p>An authenticated attacker with privileges to import and export data could exploit this vulnerability by sending a specially crafted file to a vulnerable Dynamics server.</p>
<p>The security update addresses the vulnerability by correcting how Microsoft Dynamics 365 for Finance and Operations (on-premises) version 10.0.11 handles user input.</p>
Severity
CWE
- Remote Code Execution
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://portal.msrc.microsoft.com/en-US/security-… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Dynamics 365 for Finance and Operations |
Affected:
10.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:dynamics_365:-:*:*:*:*:finance_and_operations:*:* |
Date Public
2020-09-08 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:45:33.226Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16857"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:dynamics_365:-:*:*:*:*:finance_and_operations:*:*"
],
"platforms": [
"Unknown"
],
"product": "Dynamics 365 for Finance and Operations",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "\u003cp\u003eA remote code execution vulnerability exists in Microsoft Dynamics 365 for Finance and Operations (on-premises) version 10.0.11. An attacker who successfully exploited this vulnerability could gain remote code execution via server-side script execution on the victim server.\u003c/p\u003e\n\u003cp\u003eAn authenticated attacker with privileges to import and export data could exploit this vulnerability by sending a specially crafted file to a vulnerable Dynamics server.\u003c/p\u003e\n\u003cp\u003eThe security update addresses the vulnerability by correcting how Microsoft Dynamics 365 for Finance and Operations (on-premises) version 10.0.11 handles user input.\u003c/p\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T21:34:02.443Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16857"
}
],
"title": "Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-16857",
"datePublished": "2020-09-11T17:08:41.000Z",
"dateReserved": "2020-08-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:45:33.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16858 (GCVE-0-2020-16858)
Vulnerability from cvelistv5 – Published: 2020-09-11 17:08 – Updated: 2024-08-04 13:45
VLAI
EPSS
Title
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Summary
<p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics server.</p>
<p>The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current authenticated user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions within Dynamics Server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.</p>
<p>The security update addresses the vulnerability by helping to ensure that Dynamics Server properly sanitizes web requests.</p>
Severity
CWE
- Spoofing
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://portal.msrc.microsoft.com/en-US/security-… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft Dynamics 365 (on-premises) version 9.0 |
Affected:
9.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:dynamics_365:9.0:*:*:*:on-premises:*:*:* |
Date Public
2020-09-08 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:45:34.617Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16858"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:dynamics_365:9.0:*:*:*:on-premises:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Dynamics 365 (on-premises) version 9.0",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "\u003cp\u003eA cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics server.\u003c/p\u003e\n\u003cp\u003eThe attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current authenticated user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim\u0027s identity to take actions within Dynamics Server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.\u003c/p\u003e\n\u003cp\u003eThe security update addresses the vulnerability by helping to ensure that Dynamics Server properly sanitizes web requests.\u003c/p\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Spoofing",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T21:34:02.955Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16858"
}
],
"title": "Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-16858",
"datePublished": "2020-09-11T17:08:42.000Z",
"dateReserved": "2020-08-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:45:34.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16859 (GCVE-0-2020-16859)
Vulnerability from cvelistv5 – Published: 2020-09-11 17:08 – Updated: 2024-08-04 13:45
VLAI
EPSS
Title
Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability
Summary
<p>A cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics server.</p>
<p>The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current authenticated user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim's identity to take actions within Dynamics Server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.</p>
<p>The security update addresses the vulnerability by helping to ensure that Dynamics Server properly sanitizes web requests.</p>
Severity
CWE
- Spoofing
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://portal.msrc.microsoft.com/en-US/security-… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft Dynamics 365 (on-premises) version 9.0 |
Affected:
9.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:dynamics_365:9.0:*:*:*:on-premises:*:*:* |
Date Public
2020-09-08 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:45:34.010Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16859"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:dynamics_365:9.0:*:*:*:on-premises:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Dynamics 365 (on-premises) version 9.0",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "\u003cp\u003eA cross site scripting vulnerability exists when Microsoft Dynamics 365 (on-premises) does not properly sanitize a specially crafted web request to an affected Dynamics server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Dynamics server.\u003c/p\u003e\n\u003cp\u003eThe attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current authenticated user. These attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim\u0027s identity to take actions within Dynamics Server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.\u003c/p\u003e\n\u003cp\u003eThe security update addresses the vulnerability by helping to ensure that Dynamics Server properly sanitizes web requests.\u003c/p\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Spoofing",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T21:34:03.454Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16859"
}
],
"title": "Microsoft Dynamics 365 (On-Premise) Cross Site Scripting Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-16859",
"datePublished": "2020-09-11T17:08:42.000Z",
"dateReserved": "2020-08-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:45:34.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16860 (GCVE-0-2020-16860)
Vulnerability from cvelistv5 – Published: 2020-09-11 17:08 – Updated: 2024-08-04 13:45
VLAI
EPSS
Title
Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
Summary
<p>A remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) when the server fails to properly sanitize web requests to an affected Dynamics server. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SQL service account.
An authenticated attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable Dynamics server.
The security update addresses the vulnerability by correcting how Microsoft Dynamics 365 (on-premises) validates and sanitizes user input.</p>
Severity
CWE
- Remote Code Execution
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://portal.msrc.microsoft.com/en-US/security-… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Microsoft | Microsoft Dynamics 365 (on-premises) version 9.0 |
Affected:
9.0.0 , < publication
(custom)
cpe:2.3:a:microsoft:dynamics_365:9.0:*:*:*:on-premises:*:*:* |
Date Public
2020-09-08 07:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:45:34.333Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16860"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:microsoft:dynamics_365:9.0:*:*:*:on-premises:*:*:*"
],
"platforms": [
"Unknown"
],
"product": "Microsoft Dynamics 365 (on-premises) version 9.0",
"vendor": "Microsoft",
"versions": [
{
"lessThan": "publication",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
}
]
}
],
"datePublic": "2020-09-08T07:00:00.000Z",
"descriptions": [
{
"lang": "en-US",
"value": "\u003cp\u003eA remote code execution vulnerability exists in Microsoft Dynamics 365 (on-premises) when the server fails to properly sanitize web requests to an affected Dynamics server. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SQL service account.\nAn authenticated attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable Dynamics server.\nThe security update addresses the vulnerability by correcting how Microsoft Dynamics 365 (on-premises) validates and sanitizes user input.\u003c/p\u003e"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en-US",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en-US",
"type": "Impact"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-12-31T21:34:04.005Z",
"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"shortName": "microsoft"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16860"
}
],
"title": "Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8",
"assignerShortName": "microsoft",
"cveId": "CVE-2020-16860",
"datePublished": "2020-09-11T17:08:43.000Z",
"dateReserved": "2020-08-04T00:00:00.000Z",
"dateUpdated": "2024-08-04T13:45:34.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…