CVE-2019-1109Improper Input Validation in Microsoft Office

CWE-20Improper Input Validation4 documents4 sources
Severity
9.1CRITICALNVD
EPSS
8.0%
top 7.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Microsoft OfficeMicrosoft Office 365 ProplusMicrosoft Office
Timeline
PublishedJul 15
Latest updateMay 24

Description

A spoofing vulnerability exists when Microsoft Office Javascript does not check the validity of the web page making a request to Office documents.An attacker who successfully exploited this vulnerability could read or write information in Office documents.The security update addresses the vulnerability by correcting the way that Microsoft Office Javascript verifies trusted web pages., aka 'Microsoft Office Spoofing Vulnerability'.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

NVDmicrosoft/office2013, 2016, 2019+2
CVEListV5microsoft/microsoft_office7 versions+6
CVEListV5microsoft/office_365_proplus32-bit Systems, 64-bit Systems+1

Patches

Patch: portal.msrc.microsoft.comPatch: portal.msrc.microsoft.com

🔴Vulnerability Details

2
GHSA
GHSA-j5h9-qc5w-q39g: A spoofing vulnerability exists when Microsoft Office Javascript does not check the validity of the web page making a request to Office documents2022-05-24
CVEList
CVE-2019-1109: A spoofing vulnerability exists when Microsoft Office Javascript does not check the validity of the web page making a request to Office documents2019-07-29

📋Vendor Advisories

1
Microsoft
Microsoft Office Spoofing Vulnerability2019-07-09
CVE-2019-1109 — Improper Input Validation in Microsoft | cvebase