This issue has been assigned Common Vulnerability Scoring System rating of 7.5. Attackers could exploit this vulnerability to take over the affected system in order to obtain sensitive information or to perform other activities as an authorized user. An attacker could host a malicious dwf or .pct file on a network share and when accessed through the DesignReview.exe application, it could lead to information disclosure or elevation of privileges.
Additionally, this issue has been assigned Common Vulnerability Scoring System rating of 10.0 due to the fact that the dwf or .pct file could also be exploited using cross-process scripting vulnerability. In order to exploit this issue, an attacker would have to supply crafted dwf or .pct file to the user who is using DesignReview.exe application.
Vulnerability overview
An attacker could host a malicious dwf or .pct file on a network share and when accessed through the DesignReview.exe application, it could lead to information disclosure or elevation of privileges.
Additionally, this issue has been assigned Common Vulnerability Scoring System rating of 10.0 due to the fact that the dwf or .pct file could also be exploited using cross-process scripting vulnerability. In order to exploit this issue, an attacker would have to supply crafted dwf or .pct file to the user who is using DesignReview.exe application.
Dependencies
This vulnerability is a result of a design flaw in the DesignReview.exe application.
DesignReview.exe is a software component that runs on Microsoft Windows that allows users to view design documents created by AutoCAD and other CAD packages.
An attacker could exploit this vulnerability by hosting malicious dwf or .pct files on an accessible network share, which would be accessed through the DesignReview.exe application, leading to arbitrary code execution or information disclosure. This issue has also been assigned Common Vulnerability Scoring System rating of 10.0 due to the fact that the dwf or .pct file could also be exploited using cross-process scripting vulnerability.
Vulnerability Characterization
The following table provides additional information about this vulnerability.
Vendor: Microsoft Corporation
Product: Microsoft Design Review
Type: Cross-process Scripting (CVE-2022-42941)
Impact: System takeover or elevation of privileges on the affected system
Attack Vector: Network share access through the DesignReview.exe application
Timeline
Published on: 10/21/2022 16:15:00 UTC
Last modified on: 10/24/2022 13:42:00 UTC