CVE-2023-23396: Microsoft Excel Denial of Service Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

Category

Denial of Service

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Mar

Released

2023-03-14

Last Updated

2023-06-13

EPSS Score

8.25% (percentile: 92.2%)

FAQ

How could an attacker exploit this vulnerability? The attacker could exploit this vulnerability by convincing a victim to open a specially crafted XLSX file which when opened would cause a denial-of-service condition for other processes running on that machine. Is the Preview Pane an attack vector for this vulnerability? No, the Preview Pane is not an attack vector. According to the CVSS metric, the attack vector is network (AV:N). What does that mean for this vulnerability? An attacker could trigger this vulnerability by convincing a victim to access a malicious file via a network connection or by downloading and opening the malicious file locally. In the worst case scenario, the malicious file could be triggered with a web request (AV:N). When multiple attack vectors can be used, we assign a score based on the scenario with the higher risk.

Detection & Weaponization (1 sources)

Maturity: Exploit

• GitHub PoC: 1 repositories

Affected Products (2)

Microsoft Office

• Microsoft Office Online Server
• Microsoft Office Web Apps Server 2013 Service Pack 1

Security Updates (2)

• 5002356
• 5002362

Acknowledgments

<a href="https://lucabarile.github.io/">Luca Barile</a>

Revision History

• 2023-03-14: Information published.
• 2023-05-09: Added FAQ information. This is an informational change only.
• 2023-05-18: Updated FAQ information. This is an informational change only.
• 2023-06-13: Added FAQ information. This is an informational change only.