CVE-2004-0121

Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities	Patch Vendor Advisory
http://www.securityfocus.com/bid/9827	Exploit Patch Vendor Advisory
http://www.us-cert.gov/cas/techalerts/TA04-070A.html	US Government Resource
http://www.kb.cert.org/vuls/id/305206	US Government Resource
http://www.ciac.org/ciac/bulletins/o-096.shtml
http://marc.info/?l=bugtraq&m=107893704602842&w=2
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A843
https://exchange.xforce.ibmcloud.com/vulnerabilities/15429
https://exchange.xforce.ibmcloud.com/vulnerabilities/15414
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-009

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:microsoft:outlook:2002:::::::*
	cpe:2.3:a:microsoft:outlook:2002:sp1::::::
	cpe:2.3:a:microsoft:office:xp:sp1::::::
	cpe:2.3:a:microsoft:office:xp:sp2::::::
	cpe:2.3:a:microsoft:office:xp:::::::*
	cpe:2.3:a:microsoft:outlook:2002:sp2::::::

Information

Published : 2004-04-15 04:00

Updated : 2018-10-12 21:33

NVD link : CVE-2004-0121

Mitre link : CVE-2004-0121

JSON object : View

Products Affected

microsoft

outlook
office

CWE

NVD-CWE-Other

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities", "name": "20040309 Microsoft Outlook \"mailto:\" Parameter Passing Vulnerability", "tags": ["Patch", "Vendor Advisory"], "refsource": "IDEFENSE"}, {"url": "http://www.securityfocus.com/bid/9827", "name": "9827", "tags": ["Exploit", "Patch", "Vendor Advisory"], "refsource": "BID"}, {"url": "http://www.us-cert.gov/cas/techalerts/TA04-070A.html", "name": "TA04-070A", "tags": ["US Government Resource"], "refsource": "CERT"}, {"url": "http://www.kb.cert.org/vuls/id/305206", "name": "VU#305206", "tags": ["US Government Resource"], "refsource": "CERT-VN"}, {"url": "http://www.ciac.org/ciac/bulletins/o-096.shtml", "name": "O-096", "tags": [], "refsource": "CIAC"}, {"url": "http://marc.info/?l=bugtraq&m=107893704602842&w=2", "name": "20040310 Outlook mailto: URL argument injection vulnerability", "tags": [], "refsource": "BUGTRAQ"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A843", "name": "oval:org.mitre.oval:def:843", "tags": [], "refsource": "OVAL"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/15429", "name": "outlook-ms04009-patch(15429)", "tags": [], "refsource": "XF"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/15414", "name": "outlook-mailtourl-execute-code(15414)", "tags": [], "refsource": "XF"}, {"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-009", "name": "MS04-009", "tags": [], "refsource": "MS"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2004-0121", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}}, "publishedDate": "2004-04-15T04:00Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:microsoft:outlook:2002:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:microsoft:outlook:2002:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:microsoft:office:xp:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:microsoft:office:xp:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:microsoft:office:xp:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:microsoft:outlook:2002:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-12T21:33Z"}