⚠ Actively exploited

Added to CISA KEV on 2023-09-12. Federal agencies required to patch by 2023-10-03. Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable..

CVE-2023-36761

CWE-20 — Improper Input Validation CWE-668 — Exposure to Wrong Sphere7 documents7 sources

Severity

6.5MEDIUM

EPSS

7.3%

top 8.31%

CISA KEV

KEV

Added 2023-09-12

Due 2023-10-03

Exploit

Exploited in wild

Active exploitation observed

Affected products

Microsoft Microsoft 365 Apps FOR Enterprise Microsoft Microsoft Office 2019 Microsoft Microsoft Office Ltsc 2021 +5 more

Timeline

PublishedSep 12

KEV addedSep 12

KEV dueOct 3

CISA Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Description

Microsoft Word Information Disclosure Vulnerability

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages8 packages

▶CVEListV5microsoft/microsoft_word_201616.0.1 — 16.0.5413.1000

▶CVEListV5microsoft/microsoft_word_2013_service_pack_115.0.1 — 15.0.5589.1001

▶NVDmicrosoft/word2013, 2016+1

▶CVEListV5microsoft/microsoft_office_201919.0.0 — https://aka.ms/OfficeSecurityReleases

▶CVEListV5microsoft/microsoft_office_ltsc_202116.0.1 — https://aka.ms/OfficeSecurityReleases

Patches

Patch: msrc.microsoft.com ↗Patch: msrc.microsoft.com ↗

🔴Vulnerability Details

CVEList

Microsoft Word Information Disclosure Vulnerability↗2023-09-12

▶

GHSA

GHSA-4w9h-xcp4-6v33: Microsoft Word Information Disclosure Vulnerability↗2023-09-12

▶

VulnCheck

Microsoft Word Information Disclosure Vulnerability↗2023

▶

📋Vendor Advisories

CISA

Microsoft Word Information Disclosure Vulnerability↗2023-09-12

▶

Microsoft

Microsoft Word Information Disclosure Vulnerability↗2023-09-12

▶