CVE-2019-1109

A spoofing vulnerability exists when Microsoft Office Javascript does not check the validity of the web page making a request to Office documents.An attacker who successfully exploited this vulnerability could read or write information in Office documents.The security update addresses the vulnerability by correcting the way that Microsoft Office Javascript verifies trusted web pages., aka 'Microsoft Office Spoofing Vulnerability'.

CVSS v3 9.1 CRITICAL
CVSS v2.0 6.4 MEDIUM

9.1^/10

CVSS v3 : CRITICAL

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

6.4^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:N

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1109	Patch Vendor Advisory
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1109	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:microsoft:office:2013:sp1::::::
	cpe:2.3:a:microsoft:office:2013:sp1:::rt:::*
	cpe:2.3:a:microsoft:office:2016:::::::*
	cpe:2.3:a:microsoft:office:2019:::::::*
	cpe:2.3:a:microsoft:office_365:-::::proplus:::

History

21 Nov 2024, 04:36

Type	Values Removed	Values Added
References	~~() https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1109 - Patch, Vendor Advisory~~	() https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1109 - Patch, Vendor Advisory

Information

Published : 2019-07-15 19:15

Updated : 2024-11-21 04:36

NVD link : CVE-2019-1109

Mitre link : CVE-2019-1109

CVE.ORG link : CVE-2019-1109

JSON object : View

Products Affected

microsoft

office
office_365

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2019-1109", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2019-07-15T19:15:19.763", "references": [{"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1109", "tags": ["Patch", "Vendor Advisory"], "source": "secure@microsoft.com"}, {"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1109", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "A spoofing vulnerability exists when Microsoft Office Javascript does not check the validity of the web page making a request to Office documents.An attacker who successfully exploited this vulnerability could read or write information in Office documents.The security update addresses the vulnerability by correcting the way that Microsoft Office Javascript verifies trusted web pages., aka 'Microsoft Office Spoofing Vulnerability'."}, {"lang": "es", "value": "Existe una vulnerabilidad de suplantaci\u00f3n de identidad cuando Microsoft Office Javascript no comprueba la validez de la p\u00e1gina web que realiza una solicitud a documentos de Office. Un atacante que aprovech\u00f3 esta vulnerabilidad podr\u00eda leer o escribir informaci\u00f3n en documentos de Office. La actualizaci\u00f3n de seguridad subsana la vulnerabilidad al corregir la forma que Microsoft Office Javascript verifica las p\u00e1ginas web de confianza, tambi\u00e9n se conoce como 'Microsoft Office Spoofing Vulnerability'."}], "lastModified": "2024-11-21T04:36:02.137", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:office:2013:sp1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "120690A6-E0A1-4E36-A35A-C87109ECC064"}, {"criteria": "cpe:2.3:a:microsoft:office:2013:sp1:*:*:rt:*:*:*", "vulnerable": true, "matchCriteriaId": "F7DDFFB8-2337-4DD7-8120-56CC8EF134B4"}, {"criteria": "cpe:2.3:a:microsoft:office:2016:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E0B3B0BC-C7C6-4687-AD72-DCA29FF9AE3A"}, {"criteria": "cpe:2.3:a:microsoft:office:2019:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF177984-A906-43FA-BF60-298133FBBD6B"}, {"criteria": "cpe:2.3:a:microsoft:office_365:-:*:*:*:proplus:*:*:*", "vulnerable": true, "matchCriteriaId": "42B167E5-746F-457D-821D-42EF3E3CD8B7"}], "operator": "OR"}]}], "sourceIdentifier": "secure@microsoft.com"}