CVE-1999-1055 — Information Loss or Omission in Microsoft Excel

CWE-221 — Information Loss or Omission CWE-356 — Product UI does not Warn User of Unsafe Actions5 documents4 sources

Severity

7.5HIGHNVD

EPSS

7.7%

top 8.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Excel

Timeline

PublishedDec 31

Latest updateApr 30

Description

Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the CALL function to execute a malicious DLL, aka the Excel "CALL Vulnerability."

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

▶NVDmicrosoft/excel97

🔴Vulnerability Details

GHSA

GHSA-cx75-p9pm-2q97: Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the↗2022-04-30

▶

CVEList

CVE-1999-1055: Microsoft Excel 97 does not warn the user before executing worksheet functions, which could allow attackers to execute arbitrary commands by using the↗2002-03-09

▶

📐Framework References

CWE

Information Loss or Omission↗

▶

CWE

Product UI does not Warn User of Unsafe Actions↗

▶