CVE-2023-33140
published 2023-06-13CVE-2023-33140: Microsoft OneNote Spoofing Vulnerability Microsoft OneNote Spoofing Vulnerability
medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EXPLOIT
EPSS
1.65%
73.6th percentile
Microsoft OneNote Spoofing Vulnerability
Microsoft OneNote Spoofing Vulnerability
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_onenote_for_universal | >= 16.0.0 < 16.0.14326.21450 | 16.0.14326.21450 |
| msrc | microsoft_onenote_for_universal | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
cvelistv56.5MEDIUM
vendor_msrc6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
Microsoft OneNote Spoofing Vulnerability
vendor_msrc·2023-06-13·CVSS 6.5
CVE-2023-33140 [MEDIUM] Microsoft OneNote Spoofing Vulnerability
Microsoft OneNote Spoofing Vulnerability
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft OneNote and then click on a specially crafted URL to be compromised by the attacker.
FAQ: According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H) but have no effect on integrity (I:N) or on availability (A:N). What does that mean for this vulnerability?
Successful exploitation of this vulnerability enables an attacker to obtain a victim's NetNTLMv2 hashes thus impact to Confidentiality is High. Integrity and Availability are not impacted becau
CVEList
Microsoft OneNote Spoofing Vulnerability
cvelistv5·2023-06-13·CVSS 6.5
CVE-2023-33140 [MEDIUM] Microsoft OneNote Spoofing Vulnerability
Microsoft OneNote Spoofing Vulnerability
Microsoft OneNote Spoofing Vulnerability
No detection rules found.
No writeups or analysis indexed.
2023-06-13
Published