Vulnerability identifier: #VU22685
Vulnerability risk: Medium
CVSSv3.1: 4.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-264
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Microsoft Office for Mac
Client/Desktop applications /
Office applications
Microsoft Office
Client/Desktop applications /
Office applications
Vendor: Microsoft
Description
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to Microsoft Office for Mac does not enforce macro settings on an Excel document. A remote attacker can trick the victim into opening a specially crafted Excel file and gain access to sensitive information or manipulate data.
Note, this vulnerability does not allow remote code execution.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Microsoft Office for Mac: 2016
Microsoft Office: 2019 - 2019 for Mac
External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1457
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.