vendor:
Outlook
by:
SecurityFocus
7.5
CVSS
HIGH
Arbitrary Command Execution
94
CWE
Product Name: Outlook
Affected Version From: Outlook XP
Affected Version To: Outlook XP
Patch Exists: Yes
Related CWE: CVE-2002-0647
CPE: microsoft:outlook
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2002
Microsoft Outlook View Control Arbitrary Command Execution Vulnerability
The vulnerability is due to a new ActiveX control called 'Microsoft Outlook View Control'. The flaw is that this control is marked 'safe for scripting' when it should not be. It is therefore accessible by scripts. Scripts can execute commands without user knowledge or consent.
Mitigation:
Disable ActiveX controls in Outlook or use an alternative email client.