#VU13767 Improper input validation in Microsoft .NET Framework

Published: 2018-07-10

Vulnerability identifier: #VU13767

Vulnerability risk: High

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-8260


Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Microsoft .NET Framework
Server applications / Frameworks for developing and running applications

Vendor: Microsoft


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper checking of the source markup of a file. A remote unauthenticated attacker can trick the victim into opening a specially crafted file with an affected version of .NET, inject and run arbitrary code in the context of the current user.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Install updates from vendor's website.

Vulnerable software versions

Microsoft .NET Framework: 4.7.2

External links

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability