ID CVE-2002-1056
Summary Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:outlook:2000:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:outlook:2000:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:outlook:2002:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:outlook:2002:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:word:2000:sr1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:word:2000:sr1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:word:2000:sr1a:*:*:*:*:*:*
    cpe:2.3:a:microsoft:word:2000:sr1a:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:word:2002:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:word:2002:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 12-10-2018 - 21:31)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
assigner via4 cve@mitre.org
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
oval via4
  • accepted 2012-05-28T04:01:27.874-04:00
    class vulnerability
    contributors
    • name Ingrid Skoog
      organization The MITRE Corporation
    • name Ingrid Skoog
      organization The MITRE Corporation
    • name John Hoyland
      organization Centennial Software
    • name Shane Shaffer
      organization G2, Inc.
    description Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.
    family windows
    id oval:org.mitre.oval:def:205
    status accepted
    submitted 2004-09-06T12:00:00.000-04:00
    title MS Outlook (Word 2000) RTF/HTML Script Execution Vulnerability
    version 6
  • accepted 2012-05-28T04:01:43.568-04:00
    class vulnerability
    contributors
    • name Ingrid Skoog
      organization The MITRE Corporation
    • name Jonathan Baker
      organization The MITRE Corporation
    • name John Hoyland
      organization Centennial Software
    • name Matthew Wojcik
      organization The MITRE Corporation
    • name Shane Shaffer
      organization G2, Inc.
    • name Shane Shaffer
      organization G2, Inc.
    description Microsoft Outlook 2000 and 2002, when configured to use Microsoft Word as the email editor, does not block scripts that are used while editing email messages in HTML or Rich Text Format (RTF), which could allow remote attackers to execute arbitrary scripts via an email that the user forwards or replies to.
    family windows
    id oval:org.mitre.oval:def:429
    status accepted
    submitted 2004-08-24T12:00:00.000-04:00
    title MS Outlook (Word 2002) RTF/HTML Script Execution Vulnerability
    version 8
refmap via4
bid 4397
bugtraq
  • 20020331 More Office XP Problems
  • 20020403 More Office XP problems (Version 2.0)
ms MS02-021
xf outlook-object-execute-script(8708)
vulnerable_product via4
  • cpe:2.3:a:microsoft:outlook:2000:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:outlook:2002:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:word:2000:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:word:2000:sr1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:word:2000:sr1a:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:word:2002:*:*:*:*:*:*:*
Last major update 12-10-2018 - 21:31
Published 16-05-2002 - 04:00
Back to Top