SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft Office Vendors:   Microsoft
Microsoft Office Web Apps Server Script Injection Flaw Lets Remote Users Obtain Potentially Sensitive Information on the Target System
SecurityTracker Alert ID:  1041104
SecurityTracker URL:  http://securitytracker.com/id/1041104
CVE Reference:   CVE-2018-8247   (Links to External Site)
Date:  Jun 12 2018
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Microsoft Office Web Apps Server 2013 SP1, Online Server 2016
Description:   A vulnerability was reported in Microsoft Office. A remote user can obtain potentially sensitive information on the target system.

A remote user can conduct script injection attacks to create a link that, when loaded by the target user, will attempt to cause the target user to disclose potentially sensitive information.

Ashar Javed of Hyundai AutoEver Europe GmbH reported this vulnerability.

Impact:   A remote user can obtain potentially sensitive information on the target system.
Solution:   The vendor has issued a fix.

The Microsoft advisories are available at:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8247
https://www.microsoft.com/downloads/details.aspx?familyid=dfa7070c-e809-4397-9574-15d54970acd9
https://www.microsoft.com/downloads/details.aspx?familyid=82183a7a-e8ed-4343-aea3-e392522ef5b5

Vendor URL:  portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8247 (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC