Information disclosure in Microsoft Office for macOS and Microsoft Outlook for macOS - CVE-2017-0207
Published: April 12, 2017
Vulnerability identifier: #VU6295
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-0207
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Microsoft Office for macOS
Microsoft Outlook for macOS
Microsoft Office for macOS
Microsoft Outlook for macOS
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
The vulnerability exists due to improper HTML tag input validation when parsing malicious files in Microsoft Outlook for Mac. A remote unauthenticated attacker can create a specially crafted email with specific HTML tags, trick the victim into opening it, perform spoofing attack and access authentication information or login credentials.
Successful exploitation of the vulnerability results in information disclosure.
How to mitigate CVE-2017-0207
Install update from vendor's website.