CVE-2016-3279

MEDIUM

Microsoft Excel - Security Feature Bypass

Title source: rule

Description

Microsoft Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Word 2010 SP2, Excel 2013 SP1, PowerPoint 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, PowerPoint 2013 RT SP1, Word 2013 RT SP1, Excel 2016, Word 2016, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps 2010 SP2 allow remote attackers to execute arbitrary code via a crafted XLA file, aka "Microsoft Office Remote Code Execution Vulnerability."

References (4)

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1036274

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1036275

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/91587

[Vendor Advisory] https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-088

Scores

CVSS v3 5.5

EPSS 0.3438

EPSS Percentile 96.9%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Classification

CWE

CWE-254

Status draft

Affected Products (14)

microsoft/excel

microsoft/excel_rt

microsoft/office

microsoft/office_web_apps

microsoft/powerpoint

microsoft/powerpoint_rt

microsoft/sharepoint_server

microsoft/word

microsoft/word_rt

Timeline

Published Jul 13, 2016

Tracked Since Feb 18, 2026