ID CVE-2002-0727 Type cve Reporter cve@mitre.org Modified 2018-10-12T21:31:00
Description
The Host function in Microsoft Office Web Components (OWC) 2000 and 2002 is exposed in components that are marked as safe for scripting, which allows remote attackers to execute arbitrary commands via the setTimeout method.
{"osvdb": [{"lastseen": "2017-04-28T13:19:57", "bulletinFamily": "software", "cvelist": ["CVE-2002-0727"], "edition": 1, "description": "## Vulnerability Description\nMicrosoft Office Web Components (OWC) contain a flaw that allows a remote attacker to execute arbitrary scripts when called via Internet Explorer. The flaw is due to components that are marked as \"safe\" for scripting which allow arbitrary commands to be executed via the \"setTimeout\" function. An attacker who created a malicious HTML document could use this function along with \"\"=HOST()\" to change the Document Object Model (DOM) and execute the arbitrary script.\n\n\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.\n## Short Description\nMicrosoft Office Web Components (OWC) contain a flaw that allows a remote attacker to execute arbitrary scripts when called via Internet Explorer. The flaw is due to components that are marked as \"safe\" for scripting which allow arbitrary commands to be executed via the \"setTimeout\" function. An attacker who created a malicious HTML document could use this function along with \"\"=HOST()\" to change the Document Object Model (DOM) and execute the arbitrary script.\n\n\n## References:\nVendor Specific Solution URL: http://office.microsoft.com/downloads/2002/owc10.aspx\nMicrosoft Security Bulletin: MS02-044\nISS X-Force ID: 8777\nGeneric Informational URL: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21023\nGeneric Informational URL: http://security.greymagic.com/adv/gm005-ie/\n[CVE-2002-0727](https://vulners.com/cve/CVE-2002-0727)\nBugtraq ID: 4449\n", "modified": "2002-03-10T00:00:00", "published": "2002-03-10T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:3006", "id": "OSVDB:3006", "title": "Microsoft IE OWC Script Execution", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}