Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2010-2738Improper Input Validation in Microsoft Office

CWE-20Improper Input Validation4 documents4 sources
Severity
9.3CRITICALNVD
EPSS
15.8%
top 5.24%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Microsoft Office
Timeline
PublishedSep 15
Latest updateMay 14

Description

The Uniscribe (aka new Unicode Script Processor) implementation in USP10.DLL in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP1 and SP2, and Server 2008 Gold and SP2, and Microsoft Office XP SP3, 2003 SP3, and 2007 SP2, does not properly validate tables associated with malformed OpenType fonts, which allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) Office document, aka "Uniscribe Font Parsing Engine Memory Corruption Vulnerability."

CVSS vector

AV:N/AC:M/C:C/I:C/A:CExploitability: 8.6 | Impact: 10.0

Affected Packages1 packages

NVDmicrosoft/office2003, 2007, xp+2

🔴Vulnerability Details

1
GHSA
GHSA-wc9g-7cq9-99w8: The Uniscribe (aka new Unicode Script Processor) implementation in USP102022-05-14

💥Exploits & PoCs

1
Exploit-DB
Microsoft Unicode Scripts Processor - Remote Code Execution (MS10-063)2010-09-30

🕵️Threat Intelligence

1
Zscaler
Zscaler Provides Protection for 3 New Microsoft Vulnerabilities | Zscaler
CVE-2010-2738 — Improper Input Validation in Microsoft | cvebase