CVE-2017-8710XML External Entity (XXE) Injection in Corporation Microsoft Common Console Document

CWE-611XML External Entity (XXE) Injection4 documents4 sources
Severity
5.5MEDIUMNVD
EPSS
33.1%
top 3.08%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Microsoft Corporation Microsoft Common Console DocumentMicrosoft Windows Server 2008Msrc Windows 7 FOR 32-bit Systems Service Pack 1+6 more
Timeline
PublishedSep 13
Latest updateMay 13

Description

The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka "Windows Information Disclosure Vulnerability".

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages9 packages

CVEListV5microsoft_corporation/microsoft_common_console_documentMicrosoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1.

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

1
GHSA
GHSA-v2hx-p2cq-5wm5: The Microsoft Common Console Document (2022-05-13

📋Vendor Advisories

1
Microsoft
Windows System Information Console Information Disclosure Vulnerability2017-09-12

🕵️Threat Intelligence

1
Talos
Microsoft Patch Tuesday - September 20172017-09-12