CVE-2017-8710
published 2017-09-13CVE-2017-8710: The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an…
PriorityP336medium5.5CVSS 3.0
AVLACLPRNUIRSUCHINAN
EPSS
10.44%
95.2th percentile
The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka "Windows Information Disclosure Vulnerability".
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft_corporation | microsoft_common_console_document | — | — |
| msrc | windows_7_for_32-bit_systems_service_pack_1 | — | — |
| msrc | windows_7_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_itanium-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_r2_for_itanium-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
CVSS provenance
nvdv3.05.5MEDIUMCVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vendor_msrc4.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v2hx-p2cq-5wm5: The Microsoft Common Console Document (
ghsa_unreviewed·2022-05-13
CVE-2017-8710 [MEDIUM] CWE-611 GHSA-v2hx-p2cq-5wm5: The Microsoft Common Console Document (
The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka "Windows Information Disclosure Vulnerability".
Microsoft
Windows System Information Console Information Disclosure Vulnerability
vendor_msrc·2017-09-12·CVSS 4.4
CVE-2017-8710 [MEDIUM] Windows System Information Console Information Disclosure Vulnerability
Windows System Information Console Information Disclosure Vulnerability
Description: An information disclosure vulnerability exists in the Microsoft Common Console Document (.msc) when it improperly parses XML input containing a reference to an external entity. An attacker who successfully exploited this vulnerability could read arbitrary files via an XML external entity (XXE) declaration.
To exploit the vulnerability, an attacker could create a file containing specially crafted XML content and convince an authenticated user to open the file.
The update addresses the vulnerability by modifying the way that the Microsoft Common Console Document (.msc) parses XML input.
Microsoft Windows: Microsoft Windows
Impact: Information Disclosure
Exploit Status: Publicly Disclosed:No;Exploited:No;
No detection rules found.
No public exploits indexed.
http://www.securityfocus.com/bid/100793http://www.securitytracker.com/id/1039325https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8710https://www.vulnerability-lab.com/get_content.php?id=2094https://www.youtube.com/watch?v=bIFot3a-58Ihttp://www.securityfocus.com/bid/100793http://www.securitytracker.com/id/1039325https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8710https://www.vulnerability-lab.com/get_content.php?id=2094https://www.youtube.com/watch?v=bIFot3a-58I
2017-09-13
Published