Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
mscveMicrosoftMS:CVE-2017-11876
HistoryNov 14, 2017 - 8:00 a.m.

Microsoft Project Server Elevation of Privilege Vulnerability

2017-11-1408:00:00
Microsoft
msrc.microsoft.com
19

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.8%

JSON

An elevation of privilege vulnerability exists in Microsoft Project when Microsoft Project Server does not properly manage user sessions. For this Cross-site Request Forgery(CSRF/XSRF) vulnerability to be exploited, the victim must be authenticated to (logged on) the target site.

In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted webpage that is designed to exploit the vulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message. An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized to read, use the victim’s identity to take actions on the web application on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim.

The update addresses the vulnerability by modifying how Microsoft Project Server manages user session authentication.

Related

mskb 2
cve 1
openvas 2
cvelist 1
nvd 1
prion 1
nessus 1
symantec 1
kaspersky 1
talosblog 1
trendmicroblog 1
mskb
mskb
Description of the security update for Project Server 2013: November 14, 2017
2017-11-14 08:00:00
Description of the security update for SharePoint Server 2016: November 14, 2017
2017-11-14 08:00:00
cve
cve
CVE-2017-11876
2017-11-15 03:29:01
openvas
openvas
Microsoft Project Server 2013 Elevation of Privilege Vulnerability (KB4011257)
2017-11-15 00:00:00
Microsoft SharePoint Enterprise Server 2016 Multiple Vulnerabilities (KB4011244)
2017-11-15 00:00:00
cvelist
cvelist
CVE-2017-11876
2017-11-15 03:00:00
nvd
nvd
CVE-2017-11876
2017-11-15 03:29:01
prion
prion
Privilege escalation
2017-11-15 03:29:00
nessus
nessus
Security Updates for Microsoft SharePoint Server and Microsoft Project Server (November 2017)
2017-11-15 00:00:00
symantec
symantec
Microsoft Office CVE-2017-11876 Cross Site Request Forgery Vulnerability
2017-11-14 00:00:00
kaspersky
kaspersky
KLA11139 Multiple vulnerabilities in Microsoft Office
2017-11-14 00:00:00
talosblog
talosblog
Microsoft Patch Tuesday - November 2017
2017-11-14 11:54:00
trendmicroblog
trendmicroblog
TippingPoint Threat Intelligence and Zero-Day Coverage – Week of November 13, 2017
2017-11-17 16:46:19

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.8%

JSON
Related for MS:CVE-2017-11876
mskb2cve1openvas2cvelist1nvd1prion1nessus1symantec1kaspersky1talosblog1trendmicroblog1