Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-1898

CWE-20Improper Input Validation7 documents5 sources
Severity
9.3CRITICAL
EPSS
77.4%
top 1.02%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Microsoft OfficeMicrosoft Works
Timeline
PublishedApr 21
Latest updateMay 1

Description

A certain ActiveX control in WkImgSrv.dll 7.03.0616.0, as distributed in Microsoft Works 7 and Microsoft Office 2003 and 2007, allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via an invalid WksPictureInterface property value, which triggers an improper function call.

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages2 packages

NVDmicrosoft/office2003, 2007+1

🔴Vulnerability Details

3
GHSA
GHSA-q85g-qvvf-hm5m: A certain ActiveX control in WkImgSrv2022-05-01
CVEList
CVE-2008-1898: A certain ActiveX control in WkImgSrv2008-04-21
VulnCheck
Microsoft Office Improper Input Validation2008

💥Exploits & PoCs

3
Exploit-DB
Microsoft Works 7 - 'WkImgSrv.dll' WKsPictureInterface() ActiveX (Metasploit)2010-09-25
Exploit-DB
Microsoft Works 7 - 'WkImgSrv.dll' ActiveX Remote Buffer Overflow2008-05-02
Exploit-DB
Microsoft Works 7 - 'WkImgSrv.dll' ActiveX Denial of Service (PoC)2008-04-17
CVE-2008-1898 (CRITICAL CVSS 9.3) | A certain ActiveX control in WkImgS | cvebase.io