CVE-2009-2502

HIGH

Microsoft GDI+ - Buffer Overflow

Title source: llm

Description

Buffer overflow in GDI+ in Microsoft Internet Explorer 6 SP1, Windows XP SP2 and SP3, Office XP SP3, Office 2003 SP3, 2007 Microsoft Office System SP1 and SP2, Office Project 2002 SP1, Visio 2002 SP2, Office Word Viewer, Word Viewer 2003 Gold and SP3, Office Excel Viewer 2003 Gold and SP3, Office Excel Viewer, Office PowerPoint Viewer 2007 Gold, SP1, and SP2, Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2, Expression Web, Expression Web 2, Groove 2007 Gold and SP1, Works 8.5, SQL Server 2000 Reporting Services SP2, SQL Server 2005 SP2 and SP3, Report Viewer 2005 SP1, Report Viewer 2008 Gold and SP1, and Forefront Client Security 1.0 allows remote attackers to execute arbitrary code via a crafted TIFF image file, aka "GDI+ TIFF Buffer Overflow Vulnerability."

References (3)

Core 3

Core References

US Government Resource third-party-advisory x_refsource_cert

http://www.us-cert.gov/cas/techalerts/TA09-286A.html

Vendor Advisory vendor-advisory x_refsource_ms

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-062

Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5898

Scores

CVSS v3 8.1

EPSS 0.4369

EPSS Percentile 97.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-119 CWE-120

Status published

Products (31)

microsoft/.net_framework 1.1 sp1

microsoft/.net_framework 2.0 sp1 (2 CPE variants)

microsoft/excel_viewer 2003 (2 CPE variants)

microsoft/expression_web

microsoft/expression_web 2

microsoft/forefront_client_security 1.0

microsoft/internet_explorer 6 sp1

microsoft/office 2003 sp3

microsoft/office 2007 sp1 (2 CPE variants)

microsoft/office xp

... and 21 more

Published Oct 14, 2009

Tracked Since Feb 18, 2026