Published:2016/02/12  Last Updated:2016/02/12

JVN#77012922
Microsoft Producer for Microsoft Office PowerPoint vulnerable to cross-site scripting

Overview

Microsoft Producer for Microsoft Office PowerPoint contains a cross-site scripting vulnerability.

Products Affected

  • Microsoft Producer for Microsoft Office PowerPoint 2003
  • Microsoft Producer for Microsoft Office PowerPoint 2007

Description

Microsoft Producer for Microsoft Office PowerPoint may create a web page which contains a DOM-based cross-site scripting vulnerability (CWE-79).

Impact

An arbitrary script may be executed on the user's web browser.

Solution

Do not use Microsoft Producer for Microsoft Office PowerPoint
Microsoft Producer for Microsoft Office PowerPoint is no longer being support or maintained.
It is recommended to stop using Microsoft Producer for Microsoft Office PowerPoint.

Regenerate the web page
The web page created by Microsoft Producer for Microsoft Office PowerPoint should be regenerated by Microsoft Office PowerPoint 2007 or later.

Vendor Status

Vendor Status Last Update Vendor Notes
Microsoft Japan Co.,Ltd. Vulnerable 2016/02/12

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Base Score: 4.7
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N
Base Score: 2.6
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia JVNDB-2016-000018