#VU5956 XML injection in Windows - CVE-2017-0045
Published: March 14, 2017 / Updated: March 16, 2017
Vulnerability identifier: #VU5956
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:L/SC:L/SI:N/SA:N/E:P/U:Clear
CVE-ID: CVE-2017-0045
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Windows
Windows
Software vendor:
Microsoft
Microsoft
Description
The disclosed vulnerability allows a remote attacker to gain access to potentially sensitive data.
The vulnerability exists due to a flaw in Windows DVD Maker when parsing a malicious .msdvd file. A remote attacker can create a specially crafted .msdvd file, trick the victim into opening it and read arbitrary file on the victim's computer.
Successful exploitation of this vulnerability may allow an attacker to read arbitrary file on victim's computer.
Remediation
Install update from vendor's website.