Vulnerability Details : CVE-2015-2503
Microsoft Access 2007 SP3, Excel 2007 SP3, InfoPath 2007 SP3, OneNote 2007 SP3, PowerPoint 2007 SP3, Project 2007 SP3, Publisher 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2007 IME (Japanese) SP3, Access 2010 SP2, Excel 2010 SP2, InfoPath 2010 SP2, OneNote 2010 SP2, PowerPoint 2010 SP2, Project 2010 SP2, Publisher 2010 SP2, Visio 2010 SP2, Word 2010 SP2, Pinyin IME 2010, Access 2013 SP1, Excel 2013 SP1, InfoPath 2013 SP1, OneNote 2013 SP1, PowerPoint 2013 SP1, Project 2013 SP1, Publisher 2013 SP1, Visio 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, OneNote 2013 RT SP1, PowerPoint 2013 RT SP1, Word 2013 RT SP1, Access 2016, Excel 2016, OneNote 2016, PowerPoint 2016, Project 2016, Publisher 2016, Visio 2016, Word 2016, Skype for Business 2016, and Lync 2013 SP1 allow remote attackers to bypass a sandbox protection mechanism and gain privileges via a crafted web site that is accessed with Internet Explorer, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Microsoft Office Elevation of Privilege Vulnerability."
Vulnerability category: Gain privilege
Products affected by CVE-2015-2503
- cpe:2.3:a:microsoft:project:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:project:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:access:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:access:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:access:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:access:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:excel:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:x64:*
- cpe:2.3:a:microsoft:excel:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:excel:2010:sp2:*:*:*:*:x86:*
- cpe:2.3:a:microsoft:excel:2013:sp1:*:*:rt:*:*:*
- cpe:2.3:a:microsoft:excel:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:word:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:word:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:word:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:word:2013:sp1:*:*:rt:*:*:*
- cpe:2.3:a:microsoft:word:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:powerpoint:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:powerpoint:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:powerpoint:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:powerpoint:2013:sp1:*:*:rt:*:*:*
- cpe:2.3:a:microsoft:powerpoint:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visio:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visio:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visio:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:visio:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:publisher:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:publisher:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:publisher:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:publisher:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:infopath:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:infopath:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:infopath:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:onenote:2007:sp3:*:*:*:*:*:*
- cpe:2.3:a:microsoft:onenote:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:onenote:2013:sp1:*:*:rt:*:*:*
- cpe:2.3:a:microsoft:onenote:2016:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:onenote:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:project_server:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:project_server:2010:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:pinyin_ime:2010:*:*:*:*:*:*:*
- cpe:2.3:a:microsoft:lync:2013:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:office_2007_ime:sp3:*:*:ja:*:*:*:*
- cpe:2.3:a:microsoft:skype_for_business:2016:*:*:*:*:*:*:*
Threat overview for CVE-2015-2503
Top countries where our scanners detected CVE-2015-2503
Top open port discovered on systems with this issue
443
IPs affected by CVE-2015-2503 1,283
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2015-2503!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2015-2503
0.74%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 78 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2503
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.3
|
HIGH | AV:N/AC:M/Au:N/C:C/I:C/A:C |
8.6
|
10.0
|
NIST |
CWE ids for CVE-2015-2503
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2503
-
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-116
Microsoft Security Bulletin MS15-116 - Important | Microsoft Docs
-
http://www.securitytracker.com/id/1034117
Microsoft Skype for Business Lets Remote Users Bypass Sandbox Restrictions on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1034122
Microsoft Office Bugs Let Remote Users Bypass Sandbox Restrictions, Spoof Web Sites, and Execute Arbitrary Code - SecurityTrackerThird Party Advisory;VDB Entry
-
http://www.securitytracker.com/id/1034119
Microsoft Lync Lets Remote Users Bypass Sandbox Restrictions on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
Jump to