Vulnerability Name: CVE-2015-2423 (CCN-105182) Assigned: 2015-08-11 Published: 2015-08-11 Updated: 2019-05-15 Summary: Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, Windows 10, Excel 2007 SP3, PowerPoint 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Visio 2010 SP2, Word 2010 SP2, Excel 2013 SP1, PowerPoint 2013 SP1, Visio 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, PowerPoint 2013 RT SP1, Visio 2013 RT SP1, Word 2013 RT SP1, and Internet Explorer 7 through 11 allow remote attackers to gain privileges and obtain sensitive information via a crafted command-line parameter to an Office application or Notepad, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Unsafe Command Line Parameter Passing Vulnerability." CVSS v3 Severity: 5.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N )4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): LocalAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): RequiredScope: Scope (S): ChangedImpact Metrics: Confidentiality (C): HighIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
3.8 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:C/I:N/A:N )Exploitability Metrics: Access Vector (AV): LocalAccess Complexity (AC): HighAthentication (Au): Single_InstanceImpact Metrics: Confidentiality (C): CompleteIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-200 Vulnerability Consequences: Obtain Information References: Source: MITRE Type: CNACVE-2015-2423 Source: CCN Type: Microsoft Security Bulletin MS15-088Unsafe Command Line Parameter Passing Could Allow Information Disclosure (3082458) Source: CCN Type: Microsoft Security Bulletin MS15-109Security Update for Windows Shell to Address Remote Code Execution (3096443) Source: SECTRACK Type: Third Party Advisory, VDB Entry1033237 Source: SECTRACK Type: Third Party Advisory, VDB Entry1033239 Source: SECTRACK Type: Third Party Advisory, VDB Entry1033248 Source: MS Type: Patch, Vendor AdvisoryMS15-079 Source: MS Type: Patch, Vendor AdvisoryMS15-081 Source: MS Type: Patch, Vendor AdvisoryMS15-088 Source: XF Type: UNKNOWNms-cmd-cve20152423-info-disc(105182) Vulnerable Configuration: Configuration 1 :cpe:/a:microsoft:excel:2007:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:excel:2010:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:excel:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:excel:2013:sp1:*:*:rt:*:*:* OR cpe:/a:microsoft:office:2010:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:powerpoint:2007:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:powerpoint:2010:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:powerpoint:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:powerpoint:2013:sp1:*:*:rt:*:*:* OR cpe:/a:microsoft:visio:2007:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:visio:2010:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:visio:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:visio:2013:sp1:*:*:rt:*:*:* OR cpe:/a:microsoft:visio:2016:*:*:*:*:*:*:* OR cpe:/a:microsoft:word:2007:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:word:2010:sp2:*:*:*:*:*:* OR cpe:/a:microsoft:word:2013:sp1:*:*:*:*:*:* OR cpe:/a:microsoft:word:2013:sp1:*:*:rt:*:*:* OR cpe:/a:microsoft:word:2016:*:*:*:*:*:*:* Configuration 2 :cpe:/a:microsoft:internet_explorer:7:*:*:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:8:*:*:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:9:*:*:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:10:*:*:*:*:*:*:* OR cpe:/a:microsoft:internet_explorer:11:-:*:*:*:*:*:* Configuration 3 :cpe:/o:microsoft:windows_10:-:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_7:-:sp1:*:*:*:*:*:* OR cpe:/o:microsoft:windows_8:-:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_8.1:-:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_rt:-:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:* OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_vista:-:sp2:*:*:*:*:*:* Configuration CCN 1 :cpe:/o:microsoft:windows_vista:*:sp2:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_vista:*:sp2:*:*:*:*:*:* OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:* OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:itanium:* OR cpe:/o:microsoft:windows_7:-:sp1:-:*:-:-:x32:* OR cpe:/o:microsoft:windows_7:*:sp1:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:* OR cpe:/o:microsoft:windows_8:-:-:-:*:-:-:x32:* OR cpe:/o:microsoft:windows_8:*:*:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_server_2012:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_rt:-:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_8.1:-:-:-:*:-:-:x32:* OR cpe:/o:microsoft:windows_8.1:*:*:*:*:*:*:x64:* OR cpe:/o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:* OR cpe:/o:microsoft:windows_10:-:*:*:*:*:*:x32:* OR cpe:/o:microsoft:windows_10:*:*:*:*:*:*:x64:* AND cpe:/a:microsoft:powerpoint:2007:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:excel:2007:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:word:2007:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:visio:2007:sp3:*:*:*:*:*:* OR cpe:/a:microsoft:office:2010:sp2:*:*:*:*:x64:* OR cpe:/a:microsoft:office:2010:sp2:x32:*:*:*:*:* OR cpe:/a:microsoft:excel:2010:sp2:*:*:*:*:x64:* OR cpe:/a:microsoft:excel:2010:sp2:*:*:*:*:x32:* OR cpe:/a:microsoft:word:2010:sp2:*:*:*:*:x32:* OR cpe:/a:microsoft:word:2010:sp2:*:*:*:*:x64:* OR cpe:/a:microsoft:excel:2013:sp1:*:*:*:*:x32:* OR cpe:/a:microsoft:excel:2013:sp1:*:*:*:*:x64:* OR cpe:/a:microsoft:excel:2013:sp1:*:*:rt:*:*:* OR cpe:/a:microsoft:word:2013:sp1:*:*:*:*:x32:* OR cpe:/a:microsoft:word:2013:sp1:*:*:*:*:x64:* OR cpe:/a:microsoft:word:2013:sp1:*:*:rt:*:*:* OR cpe:/a:microsoft:visio:2010:sp2:*:*:*:*:x32:* OR cpe:/a:microsoft:visio:2010:sp2:*:*:*:*:x64:* OR cpe:/a:microsoft:visio:2013:sp1:*:*:*:*:x32:* OR cpe:/a:microsoft:visio:2013:sp1:*:*:*:*:x64:* Denotes that component is vulnerable BACK
microsoft excel 2007 sp3
microsoft excel 2010 sp2
microsoft excel 2013 sp1
microsoft excel 2013 sp1
microsoft office 2010 sp2
microsoft powerpoint 2007 sp3
microsoft powerpoint 2010 sp2
microsoft powerpoint 2013 sp1
microsoft powerpoint 2013 sp1
microsoft visio 2007 sp3
microsoft visio 2010 sp2
microsoft visio 2013 sp1
microsoft visio 2013 sp1
microsoft visio 2016
microsoft word 2007 sp3
microsoft word 2010 sp2
microsoft word 2013 sp1
microsoft word 2013 sp1
microsoft word 2016
microsoft internet explorer 7
microsoft internet explorer 8
microsoft internet explorer 9
microsoft internet explorer 10
microsoft internet explorer 11 -
microsoft windows 10 -
microsoft windows 7 - sp1
microsoft windows 8 -
microsoft windows 8.1 -
microsoft windows rt -
microsoft windows rt 8.1 -
microsoft windows server 2008 - sp2
microsoft windows server 2008 r2 sp1
microsoft windows server 2008 r2 sp1
microsoft windows server 2012 -
microsoft windows server 2012 r2
microsoft windows vista - sp2
microsoft windows vista * sp2
microsoft windows vista * sp2
microsoft windows server 2008 sp2
microsoft windows server 2008 sp2
microsoft windows server 2008
microsoft windows 7 - sp1
microsoft windows 7 * sp1
microsoft windows server 2008 r2
microsoft windows server 2008 r2
microsoft windows 8 - -
microsoft windows 8 *
microsoft windows server 2012
microsoft windows rt -
microsoft windows 8.1 - -
microsoft windows 8.1 *
microsoft windows server 2012 r2
microsoft windows rt 8.1 *
microsoft windows 10 -
microsoft windows 10 *
microsoft powerpoint 2007 sp3
microsoft excel 2007 sp3
microsoft word 2007 sp3
microsoft visio 2007 sp3
microsoft office 2010 sp2
microsoft office 2010 sp2
microsoft excel 2010 sp2
microsoft excel 2010 sp2
microsoft word 2010 sp2
microsoft word 2010 sp2
microsoft excel 2013 sp1
microsoft excel 2013 sp1
microsoft excel 2013 sp1
microsoft word 2013 sp1
microsoft word 2013 sp1
microsoft word 2013 sp1
microsoft visio 2010 sp2
microsoft visio 2010 sp2
microsoft visio 2013 sp1
microsoft visio 2013 sp1