Description
Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.
Published: 2025-12-18
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized spoofing via XSS
Action: Patch Now
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, classified as a cross‑site scripting flaw. An attacker who can supply malicious data to the Office Out‑of‑Box Experience can cause that data to be rendered unfiltered, allowing the attacker to create forged or misleading content that appears as legitimate Office output. This can mislead users into believing the content is authentic, potentially enabling phishing or social‑engineering attacks.

Affected Systems

The flaw affects Microsoft Office Out‑of‑Box Experience. The CVE does not enumerate specific affected versions, so any installation of Office OOBE that has not applied Microsoft’s latest update may be vulnerable.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely but still possible. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack path requires the attacker to supply crafted content that is incorporated into the Office web page rendering process, which could be achieved over a network connection to the Office OOBE service.

Generated by OpenCVE AI on April 20, 2026 at 15:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Office Out‑of‑Box Experience update released by Microsoft to eliminate the XSS flaw.
  • Configure Office OOBE to reject or sanitize untrusted input, preventing malicious data from being rendered.
  • Enable web‑filtering or script‑blocking solutions that detect and block cross‑site scripting attempts in Office OOBE traffic.

Generated by OpenCVE AI on April 20, 2026 at 15:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft office Out-of-box Experience
CPEs cpe:2.3:a:microsoft:office_out-of-box_experience:-:*:*:*:*:*:*:*
Vendors & Products Microsoft office Out-of-box Experience

Fri, 19 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') in Office Out-of-Box Experience allows an unauthorized attacker to perform spoofing over a network.
Title Office Out-of-Box Experience Spoofing Vulnerability
First Time appeared Microsoft
Microsoft office Out Of-box Experience
Weaknesses CWE-79
CPEs cpe:2.3:a:microsoft:office_out_of-box_experience:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft office Out Of-box Experience
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Office Out-of-box Experience Office Out Of-box Experience
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:19:06.932Z

Reserved: 2025-11-06T23:40:37.277Z

Link: CVE-2025-64677

cve-icon Vulnrichment

Updated: 2025-12-19T15:11:55.194Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-18T22:16:01.077

Modified: 2026-01-16T17:28:14.047

Link: CVE-2025-64677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses