#rce

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability.

**I am running SharePoint Enterprise Server 2013 Service Pack 1. Do I need to install both updates that are listed for SharePoint Enterprise Server 2013 Service Pack 1?** No. The Cumulative update for SharePoint Server 2013 includes the update for Foundation Server 2013. Customers running SharePoint Server 2013 Service Pack 1 can install the cumulative update or the security update, which is the same update as for Foundation Server 2013. Please note that this is a clarification of the existing servicing model for SharePoint Server 2013 and applies for all previous updates.

**How could an attacker exploit this vulnerability?** An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via ODBC, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.

**How could an attacker exploit this vulnerability?** An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client.

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** A user needs to be tricked into running malicious files.

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** A user needs to be tricked into running malicious files.

**Is the Preview Pane an attack vector for this vulnerability?** No, the Preview Pane is not an attack vector.

**Is the Preview Pane an attack vector for this vulnerability?** No, the Preview Pane is not an attack vector.

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** A user needs to be tricked into running malicious files.

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.