CVE-2023-23391: Office for Android Spoofing Vulnerability

Overview

Severity

Medium (CVSS 5.5)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Mar

Released

2023-03-14

EPSS Score

1.17% (percentile: 78.7%)

FAQ

According to the CVSS metric, the attack vector is local (AV:L) and user interaction is required (UI:R), what does that mean for this vulnerability? The attack itself is carried out locally. For example, when the score indicates that the Attack Vector is Local and User Interaction is Required, this could describe an exploit in which an attacker, through social engineering, convinces a victim to click on a local file path link or download and run a malicious application or file. What is the nature of the spoofing? An attacker could manipulate a malicious link, application, or file to disguise it as a legitimate link or file to trick the victim.

Affected Products (1)

Microsoft Office

• Microsoft Office for Android

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://www.linkedin.com/in/valsamaras">Dimitrios Valsamaras</a> with Microsoft

Revision History

• 2023-03-14: Information published.