Security Updates for Microsoft Office Online Server and Microsoft Office Web Apps (June 2018)

Medium Nessus Plugin ID 110498

Synopsis

The Microsoft Office Online Server or Microsoft Office Web Apps
installation on the remote host is missing a security update.

Description

The Microsoft Office Online Server or Microsoft Office Web
Apps installation on the remote host is missing a security
update. It is, therefore, affected by the following
vulnerability :

- An elevation of privilege vulnerability exists when
Office Web Apps Server 2013 and Office Online Server
fail to properly handle web requests. An attacker who
successfully exploited this vulnerability could perform
script/content injection attacks and attempt to trick
the user into disclosing sensitive information.
(CVE-2018-8247)

Solution

Microsoft has released the following security updates to address this issue:
-KB4011026
-KB4022203
-KB4022183

See Also

http://www.nessus.org/u?ba942b2e

http://www.nessus.org/u?27d4da8d

http://www.nessus.org/u?8ea76bc5

Plugin Details

Severity: Medium

ID: 110498

File Name: smb_nt_ms18_jun_office_web.nasl

Version: 1.1

Type: local

Agent: windows

Published: 2018/06/12

Modified: 2018/06/12

Dependencies: 13855, 27524, 84669, 57033

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.9

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:microsoft:office_online_server, cpe:/a:microsoft:office_web_apps

Patch Publication Date: 2018/06/12

Vulnerability Publication Date: 2018/06/12

Reference Information

CVE: CVE-2018-8247

MSKB: 4011026, 4022203, 4022183

MSFT: MS18-4011026, MS18-4022203, MS18-4022183