CVE-2014-0259
published 2014-01-15CVE-2014-0259: Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via…
PriorityP349critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
16.46%
96.6th percentile
Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability."
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | word | — | — |
| openstack | nova | >= 0 < 2014.1.4 | 2014.1.4 |
| openstack | nova | >= 2014.2.0 < 2014.2.3 | 2014.2.3 |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat5.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8xfc-jc35-hm4j: Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corrup
ghsa_unreviewed·2022-05-14
CVE-2014-0259 [HIGH] CWE-119 GHSA-8xfc-jc35-hm4j: Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corrup
Microsoft Word 2007 SP3 and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Word Memory Corruption Vulnerability."
GHSA
OpenStack Compute (Nova) has Insufficient Verification of Data Authenticity
ghsa·2022-05-14
CVE-2015-0259 [MEDIUM] CWE-345 OpenStack Compute (Nova) has Insufficient Verification of Data Authenticity
OpenStack Compute (Nova) has Insufficient Verification of Data Authenticity
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.
Red Hat
openstack-nova: console Cross-Site WebSocket hijacking
vendor_redhat·2015-03-10·CVSS 5.1
CVE-2015-0259 [MEDIUM] CWE-345 openstack-nova: console Cross-Site WebSocket hijacking
openstack-nova: console Cross-Site WebSocket hijacking
OpenStack Compute (Nova) before 2014.1.4, 2014.2.x before 2014.2.3, and kilo before kilo-3 does not validate the origin of websocket requests, which allows remote attackers to hijack the authentication of users for access to consoles via a crafted webpage.
It was discovered that the OpenStack Compute (nova) console websocket did not correctly verify the origin header. An attacker could use this flaw to conduct a cross-site websocket hijack attack. Note that only Compute setups with VNC or SPICE enabled were affected by this flaw.
Package: openstack-nova (Red Hat OpenStack Platform 4) - Will not fix
No detection rules found.
No public exploits indexed.
Talos
Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
blogs_talos·2014-01-14·CVSS 9.8
CVE-2014-0258 [CRITICAL] Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
The first Microsoft Update Tuesday of 2014 is here and it’s a very light month this time around. We’ve got 4 bulletins covering 6 CVEs. What’s remarkable is that there’s no Internet Explorer bulletin this month. There are also no bulletins that are marked critical, all 4 bulletins are marked as important.
The first bulletin, MS14-001, is for Word and Office Web Apps, this bulletin covers 3 CVEs (CVE-2014-0258, CVE-2014-0259 and CVE-2014-0260. They are memory corruption vulnerabilities in Word, which could result in remote code execution.
MS14-002 is a fix for the Windows XP/2003 0-day kernel escalation of privilege vulnerability (CVE-2013-5065) that was being exploited in the wild in tandem with the Adobe Reader vulnerability (CVE-2013-3346). Here an attacker would convince the user to o
Talos
Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
blogs_talos·2014-01-14·CVSS 9.8
CVE-2014-0258 [CRITICAL] Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
## Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
The first Microsoft Update Tuesday of 2014 is here and it’s a very light month this time around. We’ve got 4 bulletins covering 6 CVEs. What’s remarkable is that there’s no Internet Explorer bulletin this month. There are also no bulletins that are marked critical, all 4 bulletins are marked as important.
The first bulletin, MS14-001 , is for Word and Office Web Apps, this bulletin covers 3 CVEs ( CVE-2014-0258 , CVE-2014-0259 and CVE-2014-0260 . They are memory corruption vulnerabilities in Word, which could result in remote code execution.
MS14-002 is a fix for the Windows XP/2003 0-day kernel escalation of privilege vulnerability ( CVE-2013-5065 ) that was being exploited in the wild in tandem with the
http://www.securitytracker.com/id/1029598http://www.securitytracker.com/id/1029599https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-001http://www.securitytracker.com/id/1029598http://www.securitytracker.com/id/1029599https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-001
2014-01-15
Published