CVE-2020-16928 — Improper Input Validation in Microsoft 365 Apps FOR Enterprise
Severity
7.8HIGHNVD
EPSS
10.9%
top 6.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 16
Latest updateMay 24
Description
An elevation of privilege vulnerability exists in the way that Microsoft Office Click-to-Run (C2R) AppVLP handles certain files. An attacker who successfully exploited the vulnerability could elevate privileges.
To exploit this vulnerability, an attacker would need to convince a user to open a specially crafted file.
The security update addresses the vulnerability by correcting how Microsoft Office Click-to-Run (C2R) components handle these files.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages4 packages
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-hfw2-mqmp-j26q: An elevation of privilege vulnerability exists in the way that Microsoft Office Click-to-Run (C2R) AppVLP handles certain files, aka 'Microsoft Office↗2022-05-24
GHSA▶
GHSA-3p6w-82x2-65rf: An elevation of privilege vulnerability exists in the way that Microsoft Office Click-to-Run (C2R) AppVLP handles certain files, aka 'Microsoft Office↗2022-05-24
GHSA▶
GHSA-x6hw-487w-hxf4: An elevation of privilege vulnerability exists in the way that Microsoft Office Click-to-Run (C2R) AppVLP handles certain files, aka 'Microsoft Office↗2022-05-24