CVE-2008-3007

Microsoft Office and OneNote - Remote Code Execution via Crafted onenote:// URL

Title source: llm
STIX 2.1

Description

Argument injection vulnerability in a URI handler in Microsoft Office XP SP3, 2003 SP2 and SP3, 2007 Office System Gold and SP1, and Office OneNote 2007 Gold and SP1 allow remote attackers to execute arbitrary code via a crafted onenote:// URL, aka "Uniform Resource Locator Validation Error Vulnerability."

References (9)

Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/31067
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=122235754013992&w=2
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1020833
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5970
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/496178/100/0/threaded
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2523
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA08-253A.html

Scores

EPSS 0.3193
EPSS Percentile 98.1%

Details

CWE
CWE-20
Status published
Products (4)
microsoft/office 2003 sp2 (2 CPE variants)
microsoft/office 2007 (2 CPE variants)
microsoft/office xp sp3
microsoft/office_onenote 2007 gold (2 CPE variants)
Published Sep 11, 2008
Tracked Since Feb 18, 2026