CVE-2018-8558 — Sensitive Information Exposure in Microsoft Office

CWE-200 — Sensitive Information Exposure4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

13.6%

top 5.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Office Microsoft Office

Timeline

PublishedNov 14

Latest updateMay 14

Description

An information disclosure vulnerability exists when Microsoft Outlook fails to respect "Default link type" settings configured via the SharePoint Online Admin Center, aka "Microsoft Outlook Information Disclosure Vulnerability." This affects Office 365 ProPlus, Microsoft Office. This CVE ID is unique from CVE-2018-8579.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5microsoft/office365 ProPlus for 32-bit Systems, 365 ProPlus for 64-bit Systems+1

▶NVDmicrosoft/office2019

▶CVEListV5microsoft/microsoft_office2019 for 32-bit editions, 2019 for 64-bit editions+1

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-c7gg-mch8-hvm7: An information disclosure vulnerability exists when Microsoft Outlook fails to respect "Default link type" settings configured via the SharePoint Onli↗2022-05-14

▶

CVEList

CVE-2018-8558: An information disclosure vulnerability exists when Microsoft Outlook fails to respect "Default link type" settings configured via the SharePoint Onli↗2018-11-14

▶

📋Vendor Advisories

Microsoft

Microsoft Outlook Information Disclosure Vulnerability↗2018-11-13

▶