Skip to main content

Microsoft Windows MSHTML Platform Privilege Escalation Vulnerability (CVE-2023-32046)

Advisory

Advisory
29 APR 2024

 

Background

CVE-2023-32046 is a vulnerability in the Windows MSHTML platform that could lead to an Elevation of Privilege (EoP) – essentially allowing a low privilege attacker to execute code in the context of the user or gain high-level access to a system they ordinarily would not have. Exploitation of the vulnerability requires that a user open a specially crafted file.

In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convince the user to open the file.

In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) containing a specially crafted file designed to exploit the vulnerability.

An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to open the specially crafted file.

 

Impact

  • Elevation of Privilege (EoP) allowing the attacker to execute arbitrary code on the victim's machine

 

Affected Products

  • All supported versions of Microsoft Windows

 

Recommendations

 

References