CVE-2009-1136

CWE-94 — Code Injection6 documents5 sources

Severity

9.3CRITICAL

EPSS

86.1%

top 0.60%

CISA KEV

Not in KEV

Exploit

Exploited in wild

Active exploitation observed

Affected products

Microsoft ISA Server Microsoft Office Microsoft Office WEB Components +1 more

Timeline

PublishedJul 15

Latest updateMay 2

Description

The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office XP Web Components SP3, Office 2003 Web Components SP3, Office 2003 Web Components SP1 for the 2007 Microsoft Office System, Internet Security and Acceleration (ISA) Server 2004 SP3 and 2006 Gold and SP1, and Office Small Business Accounting 2006, when used in Internet Explorer, allows remote attackers to execute arbitrary code via a crafted call to the…

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages4 packages

▶NVDmicrosoft/office_web_components2003, xp+1

▶NVDmicrosoft/office2003

▶NVDmicrosoft/office_xpsp3

▶NVDmicrosoft/isa_server2004, 2006+1

🔴Vulnerability Details

GHSA

GHSA-3vw3-8gqg-phx5: The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office XP W↗2022-05-02

▶

CVEList

CVE-2009-1136: The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11), as distributed in Office XP SP3 and Office 2003 SP3, Office XP W↗2009-07-15

▶

VulnCheck

Microsoft isa_server Improper Control of Generation of Code ('Code Injection')↗2009

▶

💥Exploits & PoCs

Exploit-DB

Microsoft Office Web Components (OWC) Spreadsheet - msDataSourceObject Memory Corruption (MS09-043) (Metasploit)↗2010-07-20

▶

Exploit-DB

Microsoft Office Web Components (OWC) Spreadsheet - ActiveX Buffer Overflow (PoC)↗2009-07-16

▶