CVE-2014-2730

Published: Apr 5, 2014Modified: May 6, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

The XML parser in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and 2013, and Office for Mac 2011, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory consumption and persistent application hang) via a crafted XML document containing a large number of nested entity references, as demonstrated by a crafted text/plain e-mail message to Outlook, a similar issue to CVE-2003-1564.

Affected (8)

Products: Microsoft: Office

Microsoft

1 product

Office

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Microsoft Office	Version 2007 sp3
Microsoft Office	Version 2010 sp1
Microsoft Office	Version 2010 sp1
Microsoft Office	Version 2010 sp2
Microsoft Office	Version 2010 sp2
Microsoft Office	Version 2011
Microsoft Office	Version 2013
Microsoft Office	Version 2013

Related CWEs

CWE-399

References (2)

http://www.securityfocus.com/archive/1/531722/100/0/threaded

Source: cve@mitre.org

http://www.securityfocus.com/archive/1/531722/100/0/threaded

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.