According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft OneNote and then click on a specially crafted URL to be compromised by the attacker. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H) but have no effect on integrity (I:N) or on availability (A:N). What does that mean for this vulnerability? Successful exploitation of this vulnerability enables an attacker to obtain a victim's NetNTLMv2 hashes thus impact to Confidentiality is High. Integrity and Availability are not impacted because the hashes do not directly enable an attacker to modify data or impact the victim's application or server runtime.
Jordan Hopkins - Rootshell Security