CVE-2023-33140

Опубликовано: 01 авг. 2023

Источник: msrc

CVSS3: 6.5

EPSS Низкий

Описание

Microsoft OneNote Spoofing Vulnerability

FAQ

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft OneNote and then click on a specially crafted URL to be compromised by the attacker.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H) but have no effect on integrity (I:N) or on availability (A:N). What does that mean for this vulnerability?

Successful exploitation of this vulnerability enables an attacker to obtain a victim's NetNTLMv2 hashes thus impact to Confidentiality is High. Integrity and Availability are not impacted because the hashes do not directly enable an attacker to modify data or impact the victim's application or server runtime.

Обновления

Продукт	Статья	Обновление
Microsoft OneNote for Universal	Release Notes	Security Update

Показывать по

Возможность эксплуатации

Publicly Disclosed

Exploited

Latest Software Release

Exploitation Less Likely

EPSS

Процентиль: 89%

0.04964

Низкий

6.5 Medium

CVSS3

Связанные уязвимости

CVE-2023-33140

CVSS3: 6.5

nvd

больше 2 лет назад

Microsoft OneNote Spoofing Vulnerability

GHSA-p5ph-q447-9jqq

CVSS3: 6.5

github

больше 2 лет назад

Microsoft OneNote Spoofing Vulnerability

BDU:2023-03739

CVSS3: 6.5

fstec

больше 2 лет назад

Уязвимость программного средства для создания заметок Microsoft OneNote, связанная с ошибками представления информации пользовательским интерфейсом, позволяющая нарушителю проводить спуфинг атаки

EPSS

Процентиль: 89%

0.04964

Низкий

6.5 Medium

CVSS3