cbcvebase.
CVE-2004-0502
published 2004-08-18

CVE-2004-0502: Outlook 2003, when replying to an e-mail message, stores certain files in a predictable location for the "src" of an img tag of the original message, which…

PriorityP431medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
20.17%
97.1th percentile
Outlook 2003, when replying to an e-mail message, stores certain files in a predictable location for the "src" of an img tag of the original message, which allows remote attackers to bypass zone restrictions and exploit other issues that rely on predictable locations, as demonstrated using a shell: URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
microsoftoutlook

Detection & IOCsextracted from sources · hover to see the quote

  • Microsoft Outlook 2003 stores files specified in img tags in predictable filesystem locations, enabling attackers to place malicious content and reference it by a known path — monitor for unexpected file writes to Outlook's temporary/cache directories triggered by incoming email with img tags
  • CVE-2004-0502 (predictable file location) is chained with CVE-2004-0503 (OLE/Windows Media Player script execution via RTF) — detect RTF emails containing embedded OLE objects referencing Windows Media Player arriving in Outlook 2003
  • The attack chain enables unprompted executable installation — alert on child processes spawned from Outlook 2003 (outlook.exe) or Windows Media Player (wmplayer.exe) following receipt of RTF email
  • Many Internet Explorer vulnerabilities depend on the attacker being able to directly reference malicious content on a victim system — monitor for IE or embedded browser instances loading files from Outlook's predictable cache paths shortly after email receipt
  • ·The predictable file location vulnerability is specific to Microsoft Outlook 2003; other versions are not mentioned as affected
  • ·Full exploitation requires chaining CVE-2004-0502 with at least one other vulnerability (e.g., CVE-2004-0503 or another IE/browser-based flaw); neither alone is sufficient for code execution
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.