5

CVE-2006-2055

Argument injection vulnerability in Microsoft Outlook 2003 SP1 allows user-assisted remote attackers to modify command line arguments to an invoked mail client via " (double quote) characters in a mailto: scheme handler, as demonstrated by launching Microsoft Outlook with an arbitrary filename as an attachment.  NOTE: it is not clear whether this issue is implementation-specific or a problem in the Microsoft API.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MicrosoftOutlook Version2003 Updatesp1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 15.38% 0.964
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

http://ingehenriksen.blogspot.com/2006/04/office-2003-file-attachment-exploit.html
Broken Link
http://secunia.com/advisories/19819
Broken Link
http://www.osvdb.org/25003
Broken Link
http://www.securityfocus.com/archive/1/432009/100/0/threaded
Third Party Advisory
Broken Link
VDB Entry
http://www.vupen.com/english/advisories/2006/1538
Broken Link
https://exchange.xforce.ibmcloud.com/vulnerabilities/26118
Third Party Advisory
VDB Entry