CVE-2023-36037: Microsoft Excel Security Feature Bypass Vulnerability

Overview

Severity

High (CVSS 7.8)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-Nov

Released

2023-11-14

EPSS Score

0.20% (percentile: 41.8%)

FAQ

What kind of security feature could be bypassed by successfully exploiting this vulnerability? Opening a malicious file could bypass the Microsoft Office Trust Center external links check. External links can include Dynamic Data Exchange (DDE) and/or references to other workbooks. See Block or unblock external content in Office documents - Microsoft Support for descriptions of related Trust Center settings. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? An attacker must send the user a malicious file and convince them to open it. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H), and availability (A:H). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality.

Affected Products (9)

Microsoft Office

• Microsoft Office 2019 for 32-bit editions
• Microsoft Office 2019 for 64-bit editions
• Microsoft 365 Apps for Enterprise for 32-bit Systems
• Microsoft 365 Apps for Enterprise for 64-bit Systems
• Microsoft Office LTSC for Mac 2021
• Microsoft Office LTSC 2021 for 64-bit editions
• Microsoft Office LTSC 2021 for 32-bit editions
• Microsoft Excel 2016 (32-bit edition)
• Microsoft Excel 2016 (64-bit edition)

Security Updates (3)

• Release Notes
• 5002518
• 5002518

Acknowledgments

Nathan Shomber of Microsoft

Revision History

• 2023-11-14: Information published.