CVE-2023-36761

Microsoft Word Information Disclosure Vulnerability

CVSS 6.5 MEDIUMEPSS 19.0%● KEVCWE-20

Vexday Risk Score

48Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 6.5EPSS 19.0%KEV simPoC —Nuclei —Metasploit —Patch referenciado

Lifecycle

12 Sep 2023Active exploitation (CISA KEV)

12 Sep 2023Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

In short

Microsoft Word can leak sensitive information from documents when processing specially crafted files, allowing attackers to view data they shouldn't have access to.

Technical detail

An improper input validation vulnerability (CWE-20) in Microsoft Word allows information disclosure through maliciously crafted document files. The attack requires user interaction (document opening) and can expose sensitive content residing in memory or the document structure without requiring elevated privileges.

Summary generated and translated by AI from the official description.

Microsoft Word Information Disclosure Vulnerability

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Affected products

Microsoft · Microsoft 365 Apps for Enterprise Microsoft · Microsoft Office 2019 Microsoft · Microsoft Office LTSC 2021 Microsoft · Microsoft Word 2013 Service Pack 1 Microsoft · Microsoft Word 2016

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36761 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-36761