CVSS: 9.3EPSS: 97%CPEs: 8EXPL: 2CVE-2010-0266 – Microsoft Outlook - 'ATTACH_BY_REF_ONLY' File Execution (MS10-045)
https://notcve.org/view.php?id=CVE-2010-0266
Microsoft Office Outlook 2002 SP3, 2003 SP3, and 2007 SP1 and SP2 does not properly verify e-mail attachments with a PR_ATTACH_METHOD property value of ATTACH_BY_REFERENCE, which allows user-assisted remote attackers to execute arbitrary code via a crafted message, aka "Microsoft Outlook SMB Attachment Vulnerability." Microsoft Office Outlook 2002 SP3, 2003 SP3, y 2007 SP1 y SP2 no verifica correctamente adjuntos en correo electrónico con un valor adecuado PR_ATTACH_METHOD de ATTACH_BY_REFERENCE, el cual permite a atacantes remotos ayudados por el usuario ejecutar código arbitrario mediante mensajes manipulados, también conocidos como "Vulnerabilidad Microsoft Outlook SMB en adjuntos". • https://www.exploit-db.com/exploits/16700 https://www.exploit-db.com/exploits/16699 http://www.us-cert.gov/cas/techalerts/TA10-194A.html https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-045 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11623 http://www.akitasecurity.nl/advisory.php?id=AK20091001 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 91%CPEs: 2EXPL: 0CVE-2010-1881
https://notcve.org/view.php?id=CVE-2010-1881
The FieldList ActiveX control in the Microsoft Access Wizard Controls in ACCWIZ.dll in Microsoft Office Access 2003 SP3 does not properly interact with the memory-access approach used by Internet Explorer and Office during instantiation, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via an HTML document that references this control along with crafted persistent storage data, aka "ACCWIZ.dll Uninitialized Variable Vulnerability." El control FieldList ActiveX en Microsoft Access Wizard Controls en ACCWIZ.dll en Microsoft Office Access 2003 SP3 no interactúa correctamente con el acceso a memoria empleado por Internet Explorer y Office durante la instanciación, el cual permite a atacantes remotos ejecutar código arbitrario o causar una denegación de servicio (corrupción de memoria) a través de un documento HTML que hace referencia a este control junto con el almacenamiento de datos persistentes manipulado, también conocido como vulnerabilidad "ACCWIZ.DLL variable sin inicializar". • http://www.us-cert.gov/cas/techalerts/TA10-194A.html https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-044 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11756 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 89%CPEs: 6EXPL: 0CVE-2010-0814 – Microsoft Office Access AccWizObjects ActiveX Control Uninitialized Imports Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2010-0814
The Microsoft Access Wizard Controls in ACCWIZ.dll in Microsoft Office Access 2003 SP3 and 2007 SP1 and SP2 do not properly interact with the memory-allocation approach used by Internet Explorer during instantiation, which allows remote attackers to execute arbitrary code via a web site that references multiple ActiveX controls, as demonstrated by the ImexGrid and FieldList controls, aka "Access ActiveX Control Vulnerability." El Microsoft Access Wizard Controls en ACCWIZ.dll en Microsoft Office Access 2003 SP3 y 2007 SP1 y SP2 no interactúa correctamente con la asignación de memoria usada por Internet Explorer durante la instanciación, el cual permite a atacantes remotos ejecutar código arbitrario mediante un sitio web que referencia múltiples controles ActiveX, como lo demuestra los controles ImexGrid y FieldList, también conocido como "Vulnerabilidad de control de acceso ActiveX". This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Office. User interaction is required in that a user must browse to a malicious website. The specific flaws exists in the instantiation of three specific ActiveX controls. The combination of loading all three controls in a particular order results in a transfer of control to unallocated memory which can be leveraged by remote attackers to execute arbitrary code under the context of the currently logged in user. • http://www.us-cert.gov/cas/techalerts/TA10-194A.html https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-044 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11907 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 94%CPEs: 11EXPL: 0CVE-2010-0823
https://notcve.org/view.php?id=CVE-2010-0823
Unspecified vulnerability in Microsoft Office Excel 2002 SP3, 2003 SP3, 2007 SP1 and SP2; Office 2004 for mac; Office 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2; allows remote attackers to execute arbitrary code via a crafted Excel file, aka "Excel Memory Corruption Vulnerability," a different vulnerability than CVE-2010-1247 and CVE-2010-1249. Vulnerabilidad no especificada en Microsoft Office Excel 2002 SP3, 2003 SP3, 2007 SP1 y SP2; Office 2004 para mac; Office 2008 para Mac; Open XML File Format Converter para Mac; Office Excel Viewer SP1 y SP2; y Office Compatibility Pack para Word, Excel, y PowerPoint 2007 File Formats SP1 y SP2; permite a atacantes remotos ejecutar código de su elección a través de un fichero Excel manipulado, conocido como "Vulnerabilidad de corrupción de memoria Excel", una vulnerabilidad diferente que CVE-2010-1247 y CVE-2010-1249. • http://osvdb.org/65233 http://www.us-cert.gov/cas/techalerts/TA10-159B.html https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-038 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7240 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 65%CPEs: 28EXPL: 0CVE-2010-1257
https://notcve.org/view.php?id=CVE-2010-1257
Cross-site scripting (XSS) vulnerability in the toStaticHTML API, as used in Microsoft Office InfoPath 2003 SP3, 2007 SP1, and 2007 SP2; Office SharePoint Server 2007 SP1 and SP2; SharePoint Services 3.0 SP1 and SP2; and Internet Explorer 8 allows remote attackers to inject arbitrary web script or HTML via vectors related to sanitization. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la API toStaticHTML, tal como es usada en Microsoft Office InfoPath 2003 SP3, 2007 SP1 y 2007 SP2; Office SharePoint Server 2007 SP1 y SP2; SharePoint Services 3.0 SP1 y SP2 y Internet Explorer 8 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores relacionados con procedimientos de limpieza. • http://support.avaya.com/css/P8/documents/100089747 http://www.securityfocus.com/bid/40409 http://www.us-cert.gov/cas/techalerts/TA10-159B.html https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-035 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-039 https://exchange.xforce.ibmcloud.com/vulnerabilities/58866 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6677 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •