Security Updates for Microsoft Office Online Server and Microsoft Office Web Apps (June 2018)

medium Nessus Plugin ID 110498

Synopsis

The Microsoft Office Online Server or Microsoft Office Web Apps installation on the remote host is missing a security update.

Description

The Microsoft Office Online Server or Microsoft Office Web Apps installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability :

- An elevation of privilege vulnerability exists when Office Web Apps Server 2013 and Office Online Server fail to properly handle web requests. An attacker who successfully exploited this vulnerability could perform script/content injection attacks and attempt to trick the user into disclosing sensitive information.
(CVE-2018-8247)

Solution

Microsoft has released the following security updates to address this issue:
-KB4011026
-KB4022203
-KB4022183

See Also

http://www.nessus.org/u?ba942b2e

http://www.nessus.org/u?27d4da8d

http://www.nessus.org/u?8ea76bc5

Plugin Details

Severity: Medium

ID: 110498

File Name: smb_nt_ms18_jun_office_web.nasl

Version: 1.2

Type: local

Agent: windows

Published: 6/12/2018

Updated: 11/4/2019

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.5

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2018-8247

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:office_online_server, cpe:/a:microsoft:office_web_apps

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 6/12/2018

Vulnerability Publication Date: 6/12/2018

Reference Information

CVE: CVE-2018-8247

MSFT: MS18-4011026, MS18-4022183, MS18-4022203

MSKB: 4011026, 4022183, 4022203