CVE-2020-1503

high-risk

Published 2020-08-17

An information disclosure vulnerability exists when Microsoft Word improperly discloses the contents of its memory. An attacker who exploited the vulnerability could use the information to compromise the user’s computer or data. To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created. The update addresses the vulnerability by changing the way certain Word functions handle objects in memory.

Do I need to act?

27.3% chance of exploitation in next 30 days

EPSS score — higher than 73% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.5/10 Medium

LOCAL / LOW complexity

Affected Products (16)

365 Apps

Office

Office Online Server

Office Web Apps

Sharepoint Enterprise Server

Sharepoint Server

Word

Affected Vendors

Microsoft

References (2)

Patch https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1503

/ 100

high-risk

Severity 18/34 · Moderate

Exploitability 15/34 · Moderate

Exposure 18/34 · Moderate