Design/Logic Flaw

2012-08-1501:55:00

PRIOn knowledge base

www.prio-n.com

8.5 High

AI Score

Confidence

Low

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.938 High

EPSS

Percentile

99.1%

JSON

The TabStrip ActiveX control in the Common Controls in MSCOMCTL.OCX in Microsoft Office 2003 SP3, Office 2003 Web Components SP3, Office 2007 SP2 and SP3, Office 2010 SP1, SQL Server 2000 SP4, SQL Server 2005 SP4, SQL Server 2008 SP2, SP3, R2, R2 SP1, and R2 SP2, Commerce Server 2002 SP4, Commerce Server 2007 SP2, Commerce Server 2009 Gold and R2, Host Integration Server 2004 SP1, Visual FoxPro 8.0 SP1, Visual FoxPro 9.0 SP2, and Visual Basic 6.0 Runtime allows remote attackers to execute arbitrary code via a crafted (1) document or (2) web page that triggers system-state corruption, aka “MSCOMCTL.OCX RCE Vulnerability.”

CPENameOperatorVersion
commerce_servereq2007 sp2
commerce_servereq2009
commerce_servereq2002 sp4
commerce_servereq2009 r2
host_integration_servereq2004 sp1
officeeq2010 sp1-x86
officeeq2007 sp3
officeeq2007 sp2
officeeq2003 sp3
office_web_componentseq2003 sp3

Name	Operator	Version
commerce_server	eq	2007 sp2
commerce_server	eq	2009
commerce_server	eq	2002 sp4
commerce_server	eq	2009 r2
host_integration_server	eq	2004 sp1
office	eq	2010 sp1-x86
office	eq	2007 sp3
office	eq	2007 sp2
office	eq	2003 sp3
office_web_components	eq	2003 sp3