CVE-2023-35636 — Sensitive Information Exposure in Microsoft 365 Apps FOR Enterprise

CWE-200 — Sensitive Information Exposure8 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

10.5%

top 6.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft 365 Apps FOR Enterprise Microsoft Office 2016 Microsoft Office 2019 +3 more

Timeline

PublishedDec 12

Latest updateFeb 5

Description

Microsoft Outlook Information Disclosure Vulnerability

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶CVEListV5microsoft/microsoft_office_201616.0.0 — 16.0.5426.1000

▶CVEListV5microsoft/microsoft_office_201919.0.0 — https://aka.ms/OfficeSecurityReleases

▶CVEListV5microsoft/microsoft_office_ltsc_202116.0.1 — https://aka.ms/OfficeSecurityReleases

▶CVEListV5microsoft/microsoft_365_apps_for_enterprise16.0.1 — https://aka.ms/OfficeSecurityReleases

▶NVDmicrosoft/office2016, 2019+1

Patches

Patch: msrc.microsoft.com ↗Patch: msrc.microsoft.com ↗

🔴Vulnerability Details

CVEList

Microsoft Outlook Information Disclosure Vulnerability↗2023-12-12

▶

GHSA

GHSA-7m3r-9jw9-j2rw: Microsoft Outlook Information Disclosure Vulnerability↗2023-12-12

▶

🔍Detection Rules

Suricata

ET EXPLOIT Possible Malicious x-sharing-config-url SMTP header observed (CVE-2023-35636)↗2024-01-24

▶

Suricata

ET HUNTING External SMB ANDX Request for Outlook Calendar Invite File (.ics) - Possible NTLM Hash Leak Attempt↗2024-01-24

▶

📋Vendor Advisories

Microsoft

Microsoft Outlook Information Disclosure Vulnerability↗2023-12-12

▶

🕵️Threat Intelligence

Bleepingcomputer

Microsoft Outlook December updates trigger ICS security alerts↗2024-02-05

▶