Description
Multiple vulnerabilities were found in Microsoft Office. Malicious users can exploit these vulnerabilities to spoof user interface, gain privileges, execute arbitrary code, bypass security restrictions, obtain sensitive information.
Below is a complete list of vulnerabilities:
- A spoofing vulnerability exists in Microsoft SharePoint when it improperly handles requests to authorize applications, resulting in cross-site request forgery (CSRF).To exploit this vulnerability, an attacker would need to create a page specifically designed to cause a cross-site request, aka ‘Microsoft SharePoint Spoofing Vulnerability’. This CVE ID is unique from CVE-2019-1259.
- An elevation of privilege vulnerability exists in Microsoft SharePoint, aka ‘Microsoft SharePoint Elevation of Privilege Vulnerability’.
- A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package, aka ‘Microsoft SharePoint Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2019-1295, CVE-2019-1296.
- A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server, aka ‘Microsoft Office SharePoint XSS Vulnerability’.
- A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren’t properly protected from unsafe data input, aka ‘Microsoft SharePoint Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2019-1257, CVE-2019-1296.
- A security feature bypass vulnerability exists when Microsoft Office improperly handles input, aka ‘Microsoft Office Security Feature Bypass Vulnerability’.
- A remote code execution vulnerability exists in Microsoft SharePoint where APIs aren’t properly protected from unsafe data input, aka ‘Microsoft SharePoint Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2019-1257, CVE-2019-1295.
- An information disclosure vulnerability exists in Lync 2013, aka ‘Lync 2013 Information Disclosure Vulnerability’.
- An information disclosure vulnerability exists when Microsoft Excel improperly discloses the contents of its memory, aka ‘Microsoft Excel Information Disclosure Vulnerability’.
- A spoofing vulnerability exists in Microsoft SharePoint when it improperly handles requests to authorize applications, resulting in cross-site request forgery (CSRF).To exploit this vulnerability, an attacker would need to create a page specifically designed to cause a cross-site request, aka ‘Microsoft SharePoint Spoofing Vulnerability’. This CVE ID is unique from CVE-2019-1261.
- A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory, aka ‘Microsoft Excel Remote Code Execution Vulnerability’.
- A remote code execution vulnerability in Jet Database Engine can be exploited remotely to execute arbitrary code.
Original advisories
- CVE-2019-1260
- CVE-2019-1257
- CVE-2019-1262
- CVE-2019-1295
- CVE-2019-1264
- CVE-2019-1296
- CVE-2019-1209
- CVE-2019-1263
- CVE-2019-1259
- CVE-2019-1297
- CVE-2019-1246
Exploitation
Malware exists for this vulnerability. Usually such malware is classified as Exploit. More details.
Related products
CVE list
- CVE-2019-1261 critical
- CVE-2019-1260 high
- CVE-2019-1257 critical
- CVE-2019-1262 high
- CVE-2019-1246 critical
- CVE-2019-1295 critical
- CVE-2019-1264 critical
- CVE-2019-1296 critical
- CVE-2019-1209 high
- CVE-2019-1263 high
- CVE-2019-1259 critical
- CVE-2019-1297 critical
KB list
- 4484098
- 4475590
- 4475596
- 4475594
- 4464557
- 4484099
- 4475605
- 4475599
- 4475591
- 4475611
- 4461631
- 4464548
- 4464566
- 4475583
- 4475589
- 4475607
- 4515509
- 4475566
- 4475579
- 4475574
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com
Found an inaccuracy in the description of this vulnerability? Let us know!