The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of DotNet Framework

vulnerability announce CVE-2017-8759

Microsoft .NET Framework: code execution

Synthesis of the vulnerability

An attacker can use a vulnerability of Microsoft .NET Framework, in order to run code.
Impacted products: .NET Framework.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 13/09/2017.
Identifiers: CERTFR-2017-AVI-296, CVE-2017-8759, VIGILANCE-VUL-23822, VU#101048.

Description of the vulnerability

An attacker can use a vulnerability of Microsoft .NET Framework, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2017-8585

Microsoft .NET Framework: vulnerabilities of July 2017

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft .NET Framework.
Impacted products: .NET Framework.
Severity: 3/4.
Consequences: denial of service on service.
Provenance: document.
Creation date: 12/07/2017.
Identifiers: CERTFR-2017-AVI-210, CVE-2017-8585, VIGILANCE-VUL-23201.

Description of the vulnerability

An attacker can use several vulnerabilities of Microsoft products.

The document located in information sources was generated by Vigil@nce from the Microsoft database. It contains details for each product.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-0248

Microsoft .NET: privilege escalation via Enhanced Key Usage

Synthesis of the vulnerability

An attacker can bypass restrictions via Enhanced Key Usage of Microsoft .NET, in order to escalate his privileges.
Impacted products: .NET Framework.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: document.
Creation date: 10/05/2017.
Identifiers: CERTFR-2017-AVI-146, CVE-2017-0248, VIGILANCE-VUL-22683.

Description of the vulnerability

An attacker can bypass restrictions via Enhanced Key Usage of Microsoft .NET, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-0160

Microsoft .NET: vulnerabilities of April 2017

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft products.
Impacted products: .NET Framework.
Severity: 4/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Creation date: 12/04/2017.
Revision date: 19/04/2017.
Identifiers: 1081, CERTFR-2017-AVI-110, CVE-2017-0160, VIGILANCE-VUL-22416.

Description of the vulnerability

An attacker can use several vulnerabilities of Microsoft products.

The document located in information sources was generated by Vigil@nce from the Microsoft database. It contains details for each product.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 21544

Microsoft .NET: privilege escalation via Microsoft.IdentityModel.Tokens

Synthesis of the vulnerability

An attacker can bypass restrictions via Microsoft.IdentityModel.Tokens of Microsoft .NET, in order to escalate his privileges.
Impacted products: .NET Framework.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: internet client.
Creation date: 11/01/2017.
Identifiers: 3214296, VIGILANCE-VUL-21544.

Description of the vulnerability

An attacker can bypass restrictions via Microsoft.IdentityModel.Tokens of Microsoft .NET, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-7270

Microsoft .NET: information disclosure via SQL Server Always Encrypted

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via SQL Server Always Encrypted of Microsoft .NET, in order to obtain sensitive information.
Impacted products: .NET Framework, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 2016, Windows 7, Windows 8, Windows RT, Windows Vista.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Creation date: 14/12/2016.
Identifiers: 3205640, CERTFR-2016-AVI-417, CVE-2016-7270, MS16-155, VIGILANCE-VUL-21378.

Description of the vulnerability

An attacker can bypass access restrictions to data via SQL Server Always Encrypted of Microsoft .NET, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2016-3209 CVE-2016-3262 CVE-2016-3263

Windows, .NET, Office, Skype, Lync, Silverlight: seven vulnerabilities via Graphics Component

Synthesis of the vulnerability

Several vulnerabilities were announced in Windows, .NET, Office, Skype, Lync and Silverlight.
Impacted products: Lync, .NET Framework, Office, Access, Office Communicator, Excel, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word, Silverlight, Skype for Business, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista.
Severity: 4/4.
Consequences: user access/rights, data reading, denial of service on server, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 12/10/2016.
Identifiers: 3192884, 825, 829, 864, 868, CERTFR-2016-AVI-340, CVE-2016-3209, CVE-2016-3262, CVE-2016-3263, CVE-2016-3270, CVE-2016-3393, CVE-2016-3396, CVE-2016-7182, MS16-120, VIGILANCE-VUL-20829.

Description of the vulnerability

Several vulnerabilities were announced in Windows, .NET, Office, Skype, Lync and Silverlight.

An attacker can use a vulnerability via GDI+, in order to run code. [severity:4/4; CVE-2016-3393]

An attacker can use a vulnerability via GDI+, in order to run code. [severity:4/4; CVE-2016-3396]

An attacker can bypass security features via GDI+, in order to obtain sensitive information. [severity:2/4; CVE-2016-3209]

An attacker can bypass security features via GDI+, in order to obtain sensitive information. [severity:2/4; CVE-2016-3262]

An attacker can bypass security features via GDI+, in order to obtain sensitive information. [severity:2/4; CVE-2016-3263]

An attacker can bypass security features via True Type Font, in order to escalate his privileges. [severity:2/4; CVE-2016-7182]

An attacker can bypass security features via Win32k, in order to escalate his privileges. [severity:2/4; CVE-2016-3270]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2016-3255

Microsoft .NET: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to Microsoft .NET, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: .NET Framework.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 12/07/2016.
Identifiers: 3170048, CERTFR-2016-AVI-232, CVE-2016-3255, MS16-091, VIGILANCE-VUL-20087.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the Microsoft .NET parser allows external entities.

An attacker can therefore transmit malicious XML data to Microsoft .NET, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2016-0149

Microsoft .NET: Man-in-the-Middle

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on Microsoft .NET, in order to read or write data in the session.
Impacted products: .NET Framework, Windows 10, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 10/05/2016.
Identifiers: 3156757, CERTFR-2016-AVI-165, CVE-2016-0149, MS16-065, VIGILANCE-VUL-19588.

Description of the vulnerability

The Microsoft .NET product uses the TLS protocol, in order to create secure sessions.

However, injecting clear text packets disrupt the encrypted session.

An attacker can therefore act as a Man-in-the-Middle on Microsoft .NET, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2016-0148

Microsoft .NET: code execution via api-ms-win-appmodel-runtime-l1-1-0.dll

Synthesis of the vulnerability

A local attacker can force a malicious library load by an application using Microsoft .NET, in order to run code.
Impacted products: .NET Framework.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 12/04/2016.
Revision date: 13/04/2016.
Identifiers: 3148789, CERTFR-2016-AVI-125, CVE-2016-0148, MS16-041, VIGILANCE-VUL-19356, ZDI-16-234.

Description of the vulnerability

The Microsoft .NET product loads external libraries.

However, it loads the DLL api-ms-win-appmodel-runtime-l1-1-0.dll directory from its current directory.

This vulnerability can be exploited via VIGILANCE-VUL-19052 using Microsoft PowerPoint Viewer.

A local attacker can therefore force a malicious library load by an application using Microsoft .NET, in order to run code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about DotNet Framework: