⚠ Actively exploited
Added to CISA KEV on 2023-02-14. Federal agencies required to patch by 2023-03-07. Required action: Apply updates per vendor instructions..

CVE-2023-21715Incorrect Authorization in Microsoft 365 Apps FOR Enterprise

CWE-863Incorrect Authorization17 documents11 sources
Severity
7.3HIGHNVD
EPSS
0.7%
top 29.07%
CISA KEV
KEV
Added 2023-02-14
Due 2023-03-07
Exploit
Exploited in wild
Active exploitation observed
Affected products
1
Microsoft 365 Apps FOR Enterprise
Timeline
PublishedFeb 14
KEV addedFeb 14
Latest updateFeb 16
KEV dueMar 7
CISA Required Action: Apply updates per vendor instructions.

Description

Microsoft Publisher Security Feature Bypass Vulnerability

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages1 packages

CVEListV5microsoft/microsoft_365_apps_for_enterprise16.0.1https://aka.ms/OfficeSecurityReleases

Patches

Patch: msrc.microsoft.comPatch: msrc.microsoft.com

🔴Vulnerability Details

3
CVEList
Microsoft Publisher Security Feature Bypass Vulnerability2023-02-14
GHSA
GHSA-9gf3-6wpf-hgpx: Microsoft Publisher Security Features Bypass Vulnerability2023-02-14
VulnCheck
Microsoft Office Publisher Security Feature Bypass Vulnerability2023

📋Vendor Advisories

2
CISA
Microsoft Office Publisher Security Feature Bypass Vulnerability2023-02-14
Microsoft
Microsoft Publisher Security Feature Bypass Vulnerability2023-02-14

🕵️Threat Intelligence

11
Talos
Threat Source newsletter (Feb. 16, 2023) — Recapping what we may have missed so far this year2023-02-16
Talos
Threat Source newsletter (Feb. 16, 2023) — Recapping what we may have missed so far this year2023-02-16
Qualys
The February 2023 Patch Tuesday Security Update Review2023-02-15
Qualys
The February 2023 Patch Tuesday Security Update Review | Qualys2023-02-15
Talos
Microsoft Patch Tuesday for February 2023 — Snort rules and prominent vulnerabilities2023-02-14
CVE-2023-21715 — Incorrect Authorization in Microsoft | cvebase