CVE-2019-0541

Warning

Exploit

EPSS 84.14%
Published 08.01.2019 21:29:00
Last modified 10.04.2025 16:56:24
Source secure@microsoft.com
Teams watchlist Login
Open Login

A remote code execution vulnerability exists in the way that the MSHTML engine inproperly validates input, aka "MSHTML Engine Remote Code Execution Vulnerability." This affects Microsoft Office, Microsoft Office Word Viewer, Internet Explorer 9, Internet Explorer 11, Microsoft Excel Viewer, Internet Explorer 10, Office 365 ProPlus.

Affected products Warnungen 1 Metrics 4 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Microsoft ≫ Internet Explorer Version11

   Microsoft ≫ Windows 10 1507 Version- HwPlatformx64
   Microsoft ≫ Windows 10 1507 Version- HwPlatformx86
   Microsoft ≫ Windows 10 1607 Version- HwPlatformx64
   Microsoft ≫ Windows 10 1607 Version- HwPlatformx86
   Microsoft ≫ Windows 10 1703 Version- HwPlatformx64
   Microsoft ≫ Windows 10 1703 Version- HwPlatformx86
   Microsoft ≫ Windows 10 1709 Version- HwPlatformarm64
   Microsoft ≫ Windows 10 1709 Version- HwPlatformx64
   Microsoft ≫ Windows 10 1709 Version- HwPlatformx86
   Microsoft ≫ Windows 10 1803 Version- HwPlatformarm64
   Microsoft ≫ Windows 10 1803 Version- HwPlatformx64
   Microsoft ≫ Windows 10 1803 Version- HwPlatformx86
   Microsoft ≫ Windows 10 1809 Version- HwPlatformarm64
   Microsoft ≫ Windows 10 1809 Version- HwPlatformx64
   Microsoft ≫ Windows 10 1809 Version- HwPlatformx86
   Microsoft ≫ Windows 7 Version- Updatesp1
   Microsoft ≫ Windows 8.1 Version-
   Microsoft ≫ Windows Rt 8.1 Version-
   Microsoft ≫ Windows Server 2008 Versionr2 Updatesp1 HwPlatformx64
   Microsoft ≫ Windows Server 2012 Versionr2
   Microsoft ≫ Windows Server 2016 Version-
   Microsoft ≫ Windows Server 2019 Version-

Microsoft ≫ Excel Viewer Version2007 Updatesp3

Microsoft ≫ Office Version2010 Updatesp2

Microsoft ≫ Office Version2013 Updatesp1

Microsoft ≫ Office Version2013 Updatesp1 SwEditionrt

Microsoft ≫ Office Version2016

Microsoft ≫ Office Version2019

Microsoft ≫ Office 365 Proplus Version-

Microsoft ≫ Office Word Viewer Version-

Microsoft ≫ Internet Explorer Version9

Microsoft ≫ Windows Server 2008 Version- Updatesp2

Microsoft ≫ Internet Explorer Version10

Microsoft ≫ Windows Server 2012 Version-

03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog

Microsoft MSHTML Remote Code Execution Vulnerability

Vulnerability

Microsoft MSHTML engine contains an improper input validation vulnerability that allows for remote code execution vulnerability.

Description

Apply updates per vendor instructions.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	84.14%	0.993

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov	9.3	8.6	10	AV:N/AC:M/Au:N/C:C/I:C/A:C
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

http://www.securityfocus.com/bid/106402

Third Party Advisory

Broken Link

VDB Entry

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0541

Patch

Vendor Advisory

https://www.exploit-db.com/exploits/46536/

Third Party Advisory

Exploit

VDB Entry

https://nvd.nist.gov/vuln/detail/CVE-2019-0541

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-0541

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-0541

EUVD