Security Updates for Microsoft Office Online Server and Microsoft Office Web Apps (June 2018)

Medium Nessus Plugin ID 110498

Synopsis

The Microsoft Office Online Server or Microsoft Office Web Apps installation on the remote host is missing a security update.

Description

The Microsoft Office Online Server or Microsoft Office Web Apps installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability :

- An elevation of privilege vulnerability exists when Office Web Apps Server 2013 and Office Online Server fail to properly handle web requests. An attacker who successfully exploited this vulnerability could perform script/content injection attacks and attempt to trick the user into disclosing sensitive information.
(CVE-2018-8247)

Solution

Microsoft has released the following security updates to address this issue:
-KB4011026
-KB4022203
-KB4022183

See Also

http://www.nessus.org/u?ba942b2e

http://www.nessus.org/u?27d4da8d

http://www.nessus.org/u?8ea76bc5

Plugin Details

Severity: Medium

ID: 110498

File Name: smb_nt_ms18_jun_office_web.nasl

Version: 1.1

Type: local

Agent: windows

Published: 2018/06/12

Modified: 2018/06/12

Dependencies: 27524, 13855, 57033, 84669

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 6.9

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSSv3

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:microsoft:office_online_server, cpe:/a:microsoft:office_web_apps

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Patch Publication Date: 2018/06/12

Vulnerability Publication Date: 2018/06/12

Reference Information

CVE: CVE-2018-8247

MSKB: 4011026, 4022203, 4022183

MSFT: MS18-4011026, MS18-4022203, MS18-4022183