Security
Headlines
HeadlinesLatestCVEs

Tag

#Security Vulnerability

CVE-2022-23280: Microsoft Outlook for Mac Security Feature Bypass Vulnerability

**Is the Preview Pane an attack vector for this vulnerability?** Yes, the Preview Pane is an attack vector.

Microsoft Security Response Center
#vulnerability#mac#microsoft#Microsoft Office Outlook#Security Vulnerability
CVE-2022-23256: Azure Data Explorer Spoofing Vulnerability

**According to the CVSS, User Interaction is Required. What interaction would the user have to do?** The user would have to click on a specially crafted URL to be compromised by the attacker.

CVE-2022-23255: Microsoft OneDrive for Android Security Feature Bypass Vulnerability

**What privileges are required to exploit this vulnerability?** The attacker needs access to an unlocked mobile device to exploit the vulnerability.

CVE-2022-23252: Microsoft Office Information Disclosure Vulnerability

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.

CVE-2022-21974: Roaming Security Rights Management Services Remote Code Execution Vulnerability

**According to the CVSS score, the attack vector is Local. Why does the CVE title indicate that this is a Remote Code Execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

CVE-2022-21971: Windows Runtime Remote Code Execution Vulnerability

**According to the CVSS score, the attack vector is Local. Why does the CVE title indicate that this is a Remote Code Execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

CVE-2022-23274: Microsoft Dynamics GP Remote Code Execution Vulnerability

**How could an attacker exploit this vulnerability?** An authenticated user could send a specially crafted SQL request to a Dynamics GP Web Service and perform remote code execution.

CVE-2022-23272: Microsoft Dynamics GP Elevation Of Privilege Vulnerability

**How could an attacker exploit this vulnerability?** An attacker could send a specially crafted request to a vulnerable Dynamics site and overwrite database contents.

CVE-2022-23269: Microsoft Dynamics GP Spoofing Vulnerability

**The CVSS Score says user action is required. What type of user action is required?** An authenticated user would have to visit a specific URL that will create an action for a workflow.

CVE-2022-23254: Microsoft Power BI Elevation of Privilege Vulnerability

**What actions do I need to take to be protected from this vulnerability?** The main update will be automatically pushed to all affected products and services. We recommend that customers update PowerBI Client JS SDK to version 2.19.1. The package can be downloaded from NPM or NuGet Gallery. **How do I know if I am affected?** Our team will contact customers that are affected by this vulnerability. We recommend that affected customers save their Power Apps to ensure the fix takes effect as expected.