Uncontrolled Search Path Element in Windows - #VU16987
Published: January 15, 2019 / Updated: January 16, 2019
Vulnerability identifier: #VU16987
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear
CVE-ID: N/A
CWE-ID: CWE-427
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Windows
Windows
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due the an error when processing web site link passed in VCard files within Microsoft Windows mail application. A remote attacker can trick the victim to download and open a specially crafted VCard file, then click on the link, indicated in the Web site field and execute arbitrary DLL file on the system.
Remediation
Microsoft has decided that it will not be fixing this vulnerability.