CVE-2009-2528

CWE-94 — Code Injection3 documents3 sources

Severity

9.3CRITICAL

EPSS

38.7%

top 2.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft .net Framework Microsoft Excel Viewer Microsoft Expression WEB +16 more

Timeline

PublishedOct 14

Latest updateMay 2

Description

GDI+ in Microsoft Office XP SP3 does not properly handle malformed objects in Office Art Property Tables, which allows remote attackers to execute arbitrary code via a crafted Office document that triggers memory corruption, aka "Memory Corruption Vulnerability."

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages19 packages

▶NVDmicrosoft/office2003, 2007, xp+2

▶NVDmicrosoft/office_groove2007

▶NVDmicrosoft/office_powerpoint_viewer2007

▶NVDmicrosoft/office_compatibility_pack2007

▶NVDmicrosoft/sql2000

🔴Vulnerability Details

GHSA

GHSA-qq8p-5v5h-rxf8: GDI+ in Microsoft Office XP SP3 does not properly handle malformed objects in Office Art Property Tables, which allows remote attackers to execute arb↗2022-05-02

▶

CVEList

CVE-2009-2528: GDI+ in Microsoft Office XP SP3 does not properly handle malformed objects in Office Art Property Tables, which allows remote attackers to execute arb↗2009-10-14

▶