Multiple vulnerabilities in Microsoft Excel



Published: 2022-05-10
Risk High
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2022-29110
CVE-2022-29109
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Microsoft Excel
Client/Desktop applications / Office applications

Microsoft Office
Client/Desktop applications / Office applications

Microsoft Office Web Apps Server
Server applications / Application servers

Microsoft Office LTSC 2021
Other software / Other software solutions

Microsoft 365 Apps for Enterprise
Client/Desktop applications / Other client software

Office Online Server
Server applications / Other server solutions

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU62984

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-29110

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input in Microsoft Excel. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Excel: 2013 RT Service Pack 1 - 2016

Microsoft Office Web Apps Server: 2013 Service Pack 1

CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29110

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Input validation error

EUVDB-ID: #VU62985

Risk: High

CVSSv3.1:

CVE-ID: CVE-2022-29109

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input in Microsoft Excel. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Office LTSC 2021: 32 bit editions - 64 bit editions

Microsoft 365 Apps for Enterprise: 32-bit Systems - 64-bit Systems

Office Online Server : All versions

Microsoft Office: 2019

CPE2.3 External links

http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-29109

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###