#VU15869 Information disclosure in Microsoft Office
Vulnerability identifier: #VU15869
Vulnerability risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Microsoft Office
Client/Desktop applications /
Office applications
Vendor: Microsoft
Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to an error when attaching files to Outlook messages. A remote attacker can attach a file as a link to an email, ignore the default organizational setting and share attached files such that they are accessible by anonymous users where they should be restricted to specific users.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Microsoft Office: 2019, 365 ProPlus
External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8579
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
