Multiple vulnerabilities in Microsoft Visual Studio
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 6 |
| CVE-ID | CVE-2023-36796 CVE-2023-36758 CVE-2023-36759 CVE-2023-36792 CVE-2023-36793 CVE-2023-36794 |
| CWE-ID | CWE-20 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Visual Studio Universal components / Libraries / Software for developers .NET Other software / Other software solutions Microsoft .NET Framework Server applications / Frameworks for developing and running applications |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 6 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU80669
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-36796
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in Visual Studio. A remote attacker can trick a victim to open a specially crafted package file and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 15.9 - 17.7.3 17.7.34024.191
.NET: 6.0.1 - 7.0.10
Microsoft .NET Framework: before 4.8.09186.0
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-36796
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU80677
Risk: Low
CVSSv3.1: 6.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-36758
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in Visual Studio, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: before 17.7.4 17.7.34031.279
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-36758
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU80676
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-36759
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in Visual Studio. A remote user can trick a victim to open a specialyl crafted file, which leads to security restrictions bypass and privilege escalation.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: before 17.7.4 17.7.34031.279
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-36759
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU80675
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-36792
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in Visual Studio. A remote attacker can trick a victim to open a specially crafted package file and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft .NET Framework: before 4.8.09186.01
Visual Studio: before 17.7.4 17.7.34031.279
.NET: before 7.0.11
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-36792
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU80674
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-36793
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in Visual Studio. A remote attacker can trick a victim to open a specially crafted package file and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 16.0 - 2022 version 17.7
Microsoft .NET Framework: 2.0 Service Pack 2 - 4.8.1
.NET: 6.0.0 - 7.0.0
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-36793
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Input validation error
EUVDB-ID: #VU80671
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2023-36794
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to insufficient validation of user-supplied input in Visual Studio. A remote attacker can trick a victim to open a specially crafted package file and execute arbitrary code on the target system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsVisual Studio: 16.0 - 2022 version 17.7
Microsoft .NET Framework: 2.0 Service Pack 2 - 4.8.1
.NET: 6.0.0 - 7.0.0
External linkshttp://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-36794
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
