CVE-2019-1204

CWE-20 — Improper Input Validation CWE-79 — Cross-site Scripting (XSS)6 documents6 sources

Severity

4.3MEDIUM

EPSS

8.6%

top 7.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Microsoft Office 2019 Microsoft Microsoft Outlook 2010 Service Pack 2 Microsoft Microsoft Outlook 2013 Service Pack 1 +4 more

Timeline

PublishedAug 14

Latest updateMay 24

Description

An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB). To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email u…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages7 packages

▶CVEListV5microsoft/microsoft_outlook_201616.0.0.0 — publication

▶CVEListV5microsoft/microsoft_outlook_2010_service_pack_213.0.0.0 — publication

▶CVEListV5microsoft/microsoft_outlook_2013_service_pack_115.0.0.0 — publication

▶NVDmicrosoft/outlook2010, 2013, 2016+2

▶CVEListV5microsoft/office_365_proplus16.0.0 — publication

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-c2cv-vhh7-5wqr: An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the f↗2022-05-24

▶

CVEList

Microsoft Outlook Elevation of Privilege Vulnerability↗2019-08-14

▶

📋Vendor Advisories

Microsoft

Microsoft Outlook Elevation of Privilege Vulnerability↗2019-08-13

▶

Red Hat

jenkins-plugin-blueocean: XSS vulnerability via user description in Blue Ocean (SECURITY-1204)↗2019-01-28

▶

💬Community

Bugzilla

CVE-2019-1003013 jenkins-plugin-blueocean: XSS vulnerability via user description in Blue Ocean (SECURITY-1204)↗2019-01-29

▶