Vulnerability Details : CVE-2017-8710
The Microsoft Common Console Document (.msc) in Microsoft Windows 7 SP1, Windows Server 2008 SP2 and R2 SP1 allows an attacker to read arbitrary files via an XML external entity (XXE) declaration, due to the way that the Microsoft Common Console Document (.msc) parses XML input containing a reference to an external entity, aka "Windows Information Disclosure Vulnerability".
Vulnerability category: XML external entity (XXE) injectionInformation leak
Exploit prediction scoring system (EPSS) score for CVE-2017-8710
Probability of exploitation activity in the next 30 days: 0.63%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 77 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-8710
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2017-8710
-
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.Assigned by: nvd@nist.gov (Primary)
References for CVE-2017-8710
-
http://www.securitytracker.com/id/1039325
Windows Kernel Multiple Flaws Let Local Users Obtain Potentially Sensitive Information, Bypass Security Features, and Gain Elevated Privileges on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securityfocus.com/bid/100793
Microsoft Windows CVE-2017-8710 Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://www.vulnerability-lab.com/get_content.php?id=2094
Exploit;Third Party Advisory
-
https://www.youtube.com/watch?v=bIFot3a-58I
Microsoft Windows CVE-2017-8710 .MSC XXE Data Exfiltration - Information Disclosure Vulnerability - YouTubeExploit;Third Party Advisory
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8710
CVE-2017-8710 | Windows System Information Console Information Disclosure VulnerabilityPatch;Vendor Advisory
Products affected by CVE-2017-8710
- cpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:itanium:*
- cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
- cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*