Security
Headlines
HeadlinesLatestCVEs

Tag

#Security Vulnerability

CVE-2023-36035: Microsoft Exchange Server Spoofing Vulnerability

**According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?** An attacker who successfully exploited this vulnerability could access a user's Net-NTLMv2 hash which could be used as a basis of an NTLM Relay attack against another service to authenticate as the user.

Microsoft Security Response Center
#vulnerability#microsoft#auth#Microsoft Exchange Server#Security Vulnerability
CVE-2023-36038: ASP.NET Core Denial of Service Vulnerability

**How could an attacker exploit this vulnerability?** This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible.

CVE-2023-36030: Microsoft Dynamics 365 Sales Spoofing Vulnerability

**According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?** The vulnerability is in the web server, but the malicious scripts execute in the victim’s browser on their machine.

CVE-2023-36028: Microsoft Protected Extensible Authentication Protocol (PEAP) Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An unauthenticated attacker could attack a Microsoft Protected Extensible Authentication Protocol (PEAP) Server by sending specially crafted malicious PEAP packets over the network.

CVE-2023-36025: Windows SmartScreen Security Feature Bypass Vulnerability

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts.

CVE-2023-36021: Microsoft On-Prem Data Gateway Security Feature Bypass Vulnerability

**What kind of security feature could be bypassed by successfully exploiting this vulnerability?** An attacker who successfully exploited this vulnerability could bypass certificate validation mechanisms and provide arbitrary certificates that do not have proper signatures.

CVE-2023-36033: Windows DWM Core Library Elevation of Privilege Vulnerability

**What privileges could be gained by an attacker who successfully exploited this vulnerability?** An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

CVE-2023-36031: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2023-36018: Visual Studio Code Jupyter Extension Spoofing Vulnerability

**According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H), and availability (A:H). What does that mean for this vulnerability?** An attacker who successfully exploited this vulnerability could gain high privileges, which include read, write, and delete functionality.

CVE-2023-36016: Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.