CVE-2017-0195

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

1.0%

top 23.54%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Corporation Office Microsoft Excel WEB APP Microsoft Office WEB Apps +2 more

Timeline

PublishedApr 12

Latest updateMay 17

Description

Microsoft Excel Services on Microsoft SharePoint Server 2010 SP1 and SP2, Microsoft Excel Web Apps 2010 SP2, Microsoft Office Web Apps 2010 SP2, Microsoft Office Web Apps Server 2013 SP1 and Office Online Server allows remote attackers to perform cross-site scripting and run script with local user privileges via a crafted request, aka "Microsoft Office XSS Elevation of Privilege Vulnerability."

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages5 packages

▶NVDmicrosoft/office_web_apps_server2013

▶NVDmicrosoft/office_web_apps2010

▶NVDmicrosoft/sharepoint_server2010

▶CVEListV5microsoft_corporation/officeExcel Services on Microsoft SharePoint Server 2010 SP1 and SP2, Microsoft Excel Web Apps 2010 SP2, Microsoft Office Web Apps 2010 SP2, Microsoft Office Web Apps Server 2013 SP1, and Office Online Server

▶NVDmicrosoft/excel_web_app2010

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-w7pr-r354-3wwp: Microsoft Excel Services on Microsoft SharePoint Server 2010 SP1 and SP2, Microsoft Excel Web Apps 2010 SP2, Microsoft Office Web Apps 2010 SP2, Micro↗2022-05-17

▶

CVEList

CVE-2017-0195: Microsoft Excel Services on Microsoft SharePoint Server 2010 SP1 and SP2, Microsoft Excel Web Apps 2010 SP2, Microsoft Office Web Apps 2010 SP2, Micro↗2017-04-12

▶

📋Vendor Advisories

Microsoft

Microsoft Office XSS Elevation of Privilege Vulnerability↗2017-04-11

▶