CVE-2008-3007
Microsoft Office and OneNote - Remote Code Execution via Crafted onenote:// URL
Title source: llmDescription
Argument injection vulnerability in a URI handler in Microsoft Office XP SP3, 2003 SP2 and SP3, 2007 Office System Gold and SP1, and Office OneNote 2007 Gold and SP1 allow remote attackers to execute arbitrary code via a crafted onenote:// URL, aka "Uniform Resource Locator Validation Error Vulnerability."
References (9)
Core 9
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/31067
Mailing List vendor-advisory
x_refsource_hp
http://marc.info/?l=bugtraq&m=122235754013992&w=2
Vendor Advisory vendor-advisory
x_refsource_ms
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-055
Various Sources x_refsource_misc
http://www.insomniasec.com/advisories/ISVA-080910.1.htm
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id?1020833
Third Party Advisory, VDB Entry vdb-entry
signature
x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5970
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/496178/100/0/threaded
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2523
US Government Resource third-party-advisory
x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA08-253A.html
Scores
EPSS
0.3193
EPSS Percentile
98.1%
Details
CWE
CWE-20
Status
published
Products (4)
microsoft/office
2003 sp2 (2 CPE variants)
microsoft/office
2007 (2 CPE variants)
microsoft/office
xp sp3
microsoft/office_onenote
2007 gold (2 CPE variants)
Published
Sep 11, 2008
Tracked Since
Feb 18, 2026