| Vulnerability Name: | CVE-2015-2503 (CCN-107646) |
| Assigned: | 2015-11-10 |
| Published: | 2015-11-10 |
| Updated: | 2018-10-12 |
| Summary: | Microsoft Access 2007 SP3, Excel 2007 SP3, InfoPath 2007 SP3, OneNote 2007 SP3, PowerPoint 2007 SP3, Project 2007 SP3, Publisher 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2007 IME (Japanese) SP3, Access 2010 SP2, Excel 2010 SP2, InfoPath 2010 SP2, OneNote 2010 SP2, PowerPoint 2010 SP2, Project 2010 SP2, Publisher 2010 SP2, Visio 2010 SP2, Word 2010 SP2, Pinyin IME 2010, Access 2013 SP1, Excel 2013 SP1, InfoPath 2013 SP1, OneNote 2013 SP1, PowerPoint 2013 SP1, Project 2013 SP1, Publisher 2013 SP1, Visio 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, OneNote 2013 RT SP1, PowerPoint 2013 RT SP1, Word 2013 RT SP1, Access 2016, Excel 2016, OneNote 2016, PowerPoint 2016, Project 2016, Publisher 2016, Visio 2016, Word 2016, Skype for Business 2016, and Lync 2013 SP1 allow remote attackers to bypass a sandbox protection mechanism and gain privileges via a crafted web site that is accessed with Internet Explorer, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Microsoft Office Elevation of Privilege Vulnerability."
|
| CVSS v3 Severity: | 8.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
7.2 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)| Exploitability Metrics: | Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): Required | | Scope: | Scope (S): Changed
| | Impact Metrics: | Confidentiality (C): High
Integrity (I): High
Availibility (A): High |
|
| CVSS v2 Severity: | 9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None | | Impact Metrics: | Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete |
7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C)| Exploitability Metrics: | Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
| | Impact Metrics: | Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete |
|
| Vulnerability Type: | CWE-264
|
| Vulnerability Consequences: | Gain Privileges |
| References: | Source: MITRE
Type: CNA
CVE-2015-2503
Source: CCN
Type: Microsoft Security Bulletin MS15-119
Security Updates for Microsoft Office to Address Remote Code Execution (3104540)
Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1034117
Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1034119
Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1034122
Source: MS
Type: UNKNOWN
MS15-116
Source: XF
Type: UNKNOWN
ms-office-cve20152503-priv-esc(107646)
|
| Vulnerable Configuration: | Configuration 1:
cpe:/a:microsoft:access:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:access:2010:sp2:*:*:*:*:*:*OR cpe:/a:microsoft:access:2013:sp1:*:*:*:*:*:*OR cpe:/a:microsoft:access:2016:*:*:*:*:*:*:*OR cpe:/a:microsoft:excel:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:excel:2010:sp2:*:*:*:*:x64:*OR cpe:/a:microsoft:excel:2010:sp2:*:*:*:*:x86:*OR cpe:/a:microsoft:excel:2013:sp1:*:*:*:*:*:*OR cpe:/a:microsoft:excel:2013:sp1:*:*:rt:*:*:*OR cpe:/a:microsoft:excel:2016:*:*:*:*:*:*:*OR cpe:/a:microsoft:infopath:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:infopath:2010:sp2:*:*:*:*:*:*OR cpe:/a:microsoft:infopath:2013:sp1:*:*:*:*:*:*OR cpe:/a:microsoft:lync:2013:sp1:*:*:*:*:*:*OR cpe:/a:microsoft:office_2007_ime:sp3:*:*:ja:*:*:*:*OR cpe:/a:microsoft:onenote:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:onenote:2010:sp2:*:*:*:*:*:*OR cpe:/a:microsoft:onenote:2013:sp1:*:*:*:*:*:*OR cpe:/a:microsoft:onenote:2013:sp1:*:*:rt:*:*:*OR cpe:/a:microsoft:onenote:2016:*:*:*:*:*:*:*OR cpe:/a:microsoft:pinyin_ime:2010:*:*:*:*:*:*:*OR cpe:/a:microsoft:powerpoint:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:powerpoint:2010:sp2:*:*:*:*:*:*OR cpe:/a:microsoft:powerpoint:2013:sp1:*:*:*:*:*:*OR cpe:/a:microsoft:powerpoint:2013:sp1:*:*:rt:*:*:*OR cpe:/a:microsoft:powerpoint:2016:*:*:*:*:*:*:*OR cpe:/a:microsoft:project:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:project:2016:*:*:*:*:*:*:*OR cpe:/a:microsoft:project_server:2010:sp2:*:*:*:*:*:*OR cpe:/a:microsoft:project_server:2013:sp1:*:*:*:*:*:*OR cpe:/a:microsoft:publisher:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:publisher:2010:sp2:*:*:*:*:*:*OR cpe:/a:microsoft:publisher:2013:sp1:*:*:*:*:*:*OR cpe:/a:microsoft:publisher:2016:*:*:*:*:*:*:*OR cpe:/a:microsoft:skype_for_business:2016:*:*:*:*:*:*:*OR cpe:/a:microsoft:visio:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:visio:2010:sp2:*:*:*:*:*:*OR cpe:/a:microsoft:visio:2013:sp1:*:*:*:*:*:*OR cpe:/a:microsoft:visio:2016:*:*:*:*:*:*:*OR cpe:/a:microsoft:word:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:word:2010:sp2:*:*:*:*:*:*OR cpe:/a:microsoft:word:2013:sp1:*:*:*:*:*:*OR cpe:/a:microsoft:word:2013:sp1:*:*:rt:*:*:*OR cpe:/a:microsoft:word:2016:*:*:*:*:*:*:*
Configuration CCN 1:
cpe:/a:microsoft:publisher:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:powerpoint:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:excel:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:word:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:infopath:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:visio:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:access:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:access:2010:sp2:*:*:*:*:x64:*OR cpe:/a:microsoft:excel:2010:sp2:*:*:*:*:x64:*OR cpe:/a:microsoft:excel:2010:sp2:*:*:*:*:x32:*OR cpe:/a:microsoft:word:2010:sp2:*:*:*:*:x32:*OR cpe:/a:microsoft:word:2010:sp2:*:*:*:*:x64:*OR cpe:/a:microsoft:onenote:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:excel:2013:sp1:*:*:*:*:x32:*OR cpe:/a:microsoft:excel:2013:sp1:*:*:*:*:x64:*OR cpe:/a:microsoft:excel:2013:sp1:*:*:rt:*:*:*OR cpe:/a:microsoft:word:2013:sp1:*:*:*:*:x32:*OR cpe:/a:microsoft:word:2013:sp1:*:*:*:*:x64:*OR cpe:/a:microsoft:word:2013:sp1:*:*:rt:*:*:*OR cpe:/a:microsoft:powerpoint:2013:sp1:*:*:rt:*:*:*OR cpe:/a:microsoft:visio:2010:sp2:*:*:*:*:x32:*OR cpe:/a:microsoft:visio:2010:sp2:*:*:*:*:x64:*OR cpe:/a:microsoft:visio:2013:sp1:*:*:*:*:x32:*OR cpe:/a:microsoft:visio:2013:sp1:*:*:*:*:x64:*OR cpe:/a:microsoft:lync_basic:2013:sp1:*:*:*:*:x32:*OR cpe:/a:microsoft:lync:2013:sp1:*:*:*:*:x64:*OR cpe:/a:microsoft:lync_basic:2013:sp1:*:*:*:*:x64:*OR cpe:/a:microsoft:excel:2016:*:*:*:*:*:x32:*OR cpe:/a:microsoft:excel:2016:*:*:*:*:*:x64:*OR cpe:/a:microsoft:word:2016:*:*:*:*:*:x32:*OR cpe:/a:microsoft:word:2016:*:*:*:*:*:x64:*OR cpe:/a:microsoft:access:2016:*:*:*:*:x32:*:*OR cpe:/a:microsoft:onenote:2010:sp2:*:*:*:*:x32:*OR cpe:/a:microsoft:onenote:2010:sp2:*:*:*:*:x64:*OR cpe:/a:microsoft:onenote:2013:sp1:*:*:*:*:x32:*OR cpe:/a:microsoft:onenote:2013:sp1:*:*:*:*:x64:*OR cpe:/a:microsoft:onenote:2013:sp1:*:*:rt:*:*:*OR cpe:/a:microsoft:onenote:2016:*:*:*:*:*:x32:*OR cpe:/a:microsoft:onenote:2016:*:*:*:*:*:x64:*OR cpe:/a:microsoft:project:2007:sp3:*:*:*:*:*:*OR cpe:/a:microsoft:publisher:2010:sp2:*:*:*:*:x32:*OR cpe:/a:microsoft:publisher:2010:sp2:*:*:*:*:x64:*OR cpe:/a:microsoft:visio:2016:*:*:*:*:*:x32:*OR cpe:/a:microsoft:visio:2016:*:*:*:*:*:x64:*
 Denotes that component is vulnerable |
| BACK |
microsoft access 2007 sp3
microsoft access 2010 sp2
microsoft access 2013 sp1
microsoft access 2016
microsoft excel 2007 sp3
microsoft excel 2010 sp2
microsoft excel 2010 sp2
microsoft excel 2013 sp1
microsoft excel 2013 sp1
microsoft excel 2016
microsoft infopath 2007 sp3
microsoft infopath 2010 sp2
microsoft infopath 2013 sp1
microsoft lync 2013 sp1
microsoft office 2007 ime sp3
microsoft onenote 2007 sp3
microsoft onenote 2010 sp2
microsoft onenote 2013 sp1
microsoft onenote 2013 sp1
microsoft onenote 2016
microsoft pinyin ime 2010
microsoft powerpoint 2007 sp3
microsoft powerpoint 2010 sp2
microsoft powerpoint 2013 sp1
microsoft powerpoint 2013 sp1
microsoft powerpoint 2016
microsoft project 2007 sp3
microsoft project 2016
microsoft project server 2010 sp2
microsoft project server 2013 sp1
microsoft publisher 2007 sp3
microsoft publisher 2010 sp2
microsoft publisher 2013 sp1
microsoft publisher 2016
microsoft skype for business 2016
microsoft visio 2007 sp3
microsoft visio 2010 sp2
microsoft visio 2013 sp1
microsoft visio 2016
microsoft word 2007 sp3
microsoft word 2010 sp2
microsoft word 2013 sp1
microsoft word 2013 sp1
microsoft word 2016
microsoft publisher 2007 sp3
microsoft powerpoint 2007 sp3
microsoft excel 2007 sp3
microsoft word 2007 sp3
microsoft infopath 2007 sp3
microsoft visio 2007 sp3
microsoft access 2007 sp3
microsoft access 2010 sp2
microsoft excel 2010 sp2
microsoft excel 2010 sp2
microsoft word 2010 sp2
microsoft word 2010 sp2
microsoft onenote 2007 sp3
microsoft excel 2013 sp1
microsoft excel 2013 sp1
microsoft excel 2013 sp1
microsoft word 2013 sp1
microsoft word 2013 sp1
microsoft word 2013 sp1
microsoft powerpoint 2013 sp1
microsoft visio 2010 sp2
microsoft visio 2010 sp2
microsoft visio 2013 sp1
microsoft visio 2013 sp1
microsoft lync basic 2013 sp1
microsoft lync 2013 sp1
microsoft lync basic 2013 sp1
microsoft excel 2016
microsoft excel 2016
microsoft word 2016
microsoft word 2016
microsoft access 2016
microsoft onenote 2010 sp2
microsoft onenote 2010 sp2
microsoft onenote 2013 sp1
microsoft onenote 2013 sp1
microsoft onenote 2013 sp1
microsoft onenote 2016
microsoft onenote 2016
microsoft project 2007 sp3
microsoft publisher 2010 sp2
microsoft publisher 2010 sp2
microsoft visio 2016
microsoft visio 2016