#VU16987 Uncontrolled Search Path Element in Windows
Published: January 15, 2019 / Updated: January 16, 2019
Vulnerability identifier: #VU16987
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: N/A
CWE-ID: CWE-427
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Windows
Windows
Software vendor:
Microsoft
Microsoft
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due the an error when processing web site link passed in VCard files within Microsoft Windows mail application. A remote attacker can trick the victim to download and open a specially crafted VCard file, then click on the link, indicated in the Web site field and execute arbitrary DLL file on the system.
Remediation
Microsoft has decided that it will not be fixing this vulnerability.