Multiple vulnerabilities in Microsoft Excel

1) Input validation error

EUVDB-ID: #VU77260

Risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-33133

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input in Microsoft Excel. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Office: 2019 - 2019 for Mac

Office Online Server: All versions

Microsoft Excel: 2013 - 2016

Microsoft Office LTSC: 32 bit editions - 2021 for Mac

Microsoft 365 Apps for Enterprise: 32-bit Systems - 64-bit Systems

CPE2.3

• cpe:2.3:a:microsoft:microsoft_office:*:*:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_office:2019_for_Mac:*:*:*:*:*:*:*
• cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_excel:*:*:*:*:*:microsoft_office:*:*
• cpe:2.3:a:microsoft:microsoft_excel:2013_Service_Pack_1:*:*:*:*:microsoft_office:*:*
• cpe:2.3:a:microsoft:microsoft_excel:2013_RT_Service_Pack_1:*:*:*:*:microsoft_office:*:*
• cpe:2.3:a:microsoft:microsoft_office_ltsc:32:bit editions:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_office_ltsc:64:bit editions:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_office_ltsc:2021:for Mac:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_365_apps_for_enterprise:32-bit_Systems:*:*:*:*:*:*:*

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-33133

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU77264

Risk: High

CVSSv4.0: 7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2023-33137

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input in Microsoft Excel. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Excel: 2013 Service Pack 1 - 2016

Office Online Server: All versions

Microsoft Office: 2019

CPE2.3

• cpe:2.3:a:microsoft:microsoft_excel:2013_Service_Pack_1:*:*:*:*:microsoft_office:*:*
• cpe:2.3:a:microsoft:microsoft_excel:2013_RT_Service_Pack_1:*:*:*:*:microsoft_office:*:*
• cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-33137

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Input validation error

EUVDB-ID: #VU77263

Risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-32029

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input in Microsoft Excel. A remote attacker can trick a victim to open a specially crafted file and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Microsoft Excel: 2013 Service Pack 1 - 2016

Microsoft Office LTSC: 32 bit editions - 2021 for Mac

Microsoft 365 Apps for Enterprise: 32-bit Systems - 64-bit Systems

Office Online Server: All versions

Microsoft Office: 2019 - 2019 for Mac

CPE2.3

• cpe:2.3:a:microsoft:microsoft_excel:2013_Service_Pack_1:*:*:*:*:microsoft_office:*:*
• cpe:2.3:a:microsoft:microsoft_excel:2013_RT_Service_Pack_1:*:*:*:*:microsoft_office:*:*
• cpe:2.3:a:microsoft:microsoft_office_ltsc:32:bit editions:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_office_ltsc:64:bit editions:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_office_ltsc:2021:for Mac:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_365_apps_for_enterprise:32-bit_Systems:*:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_365_apps_for_enterprise:64-bit_Systems:*:*:*:*:*:*:*
• cpe:2.3:a:microsoft:office_online_server:*:*:*:*:*:*:*:*
• cpe:2.3:a:microsoft:microsoft_office:2019_for_Mac:*:*:*:*:*:*:*

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-32029

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.