CVE-2004-0121

Microsoft Outlook 2002 - Command Injection

Title source: llm

Description

Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs.

Exploits (1)

exploitdb WORKING POC VERIFIED

by shaun2k2 · htmlremotewindows

https://www.exploit-db.com/exploits/23796

View Code ZIP pw:eip

References (10)

[Broken Link, Third Party Advisory, US Government Resource] http://www.us-cert.gov/cas/techalerts/TA04-070A.html

[Patch, Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-009

[Mitigation, Third Party Advisory, US Government Resource] http://www.kb.cert.org/vuls/id/305206

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/15414

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/15429

[Broken Link] https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A843

[Broken Link] http://www.ciac.org/ciac/bulletins/o-096.shtml

[Broken Link, Exploit, Patch, Third Party Advisory, VDB Entry, Vendor Advisory] http://www.securityfocus.com/bid/9827

[Broken Link, Patch, Vendor Advisory] http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities

[Third Party Advisory] http://marc.info/?l=bugtraq&m=107893704602842&w=2

Scores

EPSS 0.5147

EPSS Percentile 97.9%

Details

CWE

CWE-88

Status published

Products (2)

microsoft/office xp sp2

microsoft/outlook 2002 sp2

Published Apr 15, 2004

Tracked Since Feb 18, 2026