ID CVE-2008-4253
Summary The FlexGrid ActiveX control in Microsoft Visual Basic 6.0, Visual FoxPro 8.0 SP1 and 9.0 SP1 and SP2, Office FrontPage 2002 SP3, and Office Project 2003 SP3 does not properly handle errors during access to incorrectly initialized objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to corruption of the "system state," aka "FlexGrid Control Memory Corruption Vulnerability."
References
Vulnerable Configurations
  • cpe:2.3:a:microsoft:office_frontpage:2002:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:office_frontpage:2002:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:project:2003:sp3:*:*:*:*:*:*
    cpe:2.3:a:microsoft:project:2003:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:project:2007:*:*:*:*:*:*:*
    cpe:2.3:a:microsoft:project:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:project:2007:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:project:2007:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_basic:6.0:*:runtime_extended_files:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_basic:6.0:*:runtime_extended_files:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_foxpro:8.0:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_foxpro:8.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_foxpro:9.0:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_foxpro:9.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_foxpro:9.0:sp2:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_foxpro:9.0:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_studio_.net:2002:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_studio_.net:2002:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_studio_.net:2003:sp1:*:*:*:*:*:*
    cpe:2.3:a:microsoft:visual_studio_.net:2003:sp1:*:*:*:*:*:*
CVSS
Base: 8.5 (as of 12-10-2018 - 21:48)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
assigner via4 cve@mitre.org
cvss-vector via4 AV:N/AC:M/Au:S/C:C/I:C/A:C
oval via4
accepted 2012-11-12T04:00:35.411-05:00
class vulnerability
contributors
  • name Sudhir Gandhe
    organization Secure Elements, Inc.
  • name Pradeep R B
    organization SecPod Technologies
  • name Pradeep R B
    organization SecPod Technologies
definition_extensions
  • comment Microsoft Project 2003 SP3 is installed
    oval oval:org.mitre.oval:def:5755
  • comment Microsoft Office XP is installed
    oval oval:org.mitre.oval:def:663
  • comment Microsoft Visual FoxPro is installed
    oval oval:org.mitre.oval:def:14198
  • comment Microsoft Visual Basic 6.0 is installed
    oval oval:org.mitre.oval:def:15369
description The FlexGrid ActiveX control in Microsoft Visual Basic 6.0, Visual FoxPro 8.0 SP1 and 9.0 SP1 and SP2, Office FrontPage 2002 SP3, and Office Project 2003 SP3 does not properly handle errors during access to incorrectly initialized objects, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to corruption of the "system state," aka "FlexGrid Control Memory Corruption Vulnerability."
family windows
id oval:org.mitre.oval:def:5994
status accepted
submitted 2008-12-09T13:31:00
title FlexGrid Control Memory Corruption Vulnerability
version 67
refmap via4
bid 32592
cert TA08-344A
confirm http://support.avaya.com/elmodocs2/security/ASA-2008-473.htm
ms MS08-070
sectrack 1021369
vupen ADV-2008-3382
vulnerable_product via4
  • cpe:2.3:a:microsoft:office_frontpage:2002:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:project:2003:sp3:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:project:2007:*:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:project:2007:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_basic:6.0:*:runtime_extended_files:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_foxpro:8.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_foxpro:9.0:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_foxpro:9.0:sp2:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_studio_.net:2002:sp1:*:*:*:*:*:*
  • cpe:2.3:a:microsoft:visual_studio_.net:2003:sp1:*:*:*:*:*:*
Last major update 12-10-2018 - 21:48
Published 10-12-2008 - 14:00
Back to Top