critical
9.3
CWE
264
Advisory Published
Updated

CVE-2015-2503

First published: Wed Nov 11 2015(Updated: )

Microsoft Access 2007 SP3, Excel 2007 SP3, InfoPath 2007 SP3, OneNote 2007 SP3, PowerPoint 2007 SP3, Project 2007 SP3, Publisher 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2007 IME (Japanese) SP3, Access 2010 SP2, Excel 2010 SP2, InfoPath 2010 SP2, OneNote 2010 SP2, PowerPoint 2010 SP2, Project 2010 SP2, Publisher 2010 SP2, Visio 2010 SP2, Word 2010 SP2, Pinyin IME 2010, Access 2013 SP1, Excel 2013 SP1, InfoPath 2013 SP1, OneNote 2013 SP1, PowerPoint 2013 SP1, Project 2013 SP1, Publisher 2013 SP1, Visio 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, OneNote 2013 RT SP1, PowerPoint 2013 RT SP1, Word 2013 RT SP1, Access 2016, Excel 2016, OneNote 2016, PowerPoint 2016, Project 2016, Publisher 2016, Visio 2016, Word 2016, Skype for Business 2016, and Lync 2013 SP1 allow remote attackers to bypass a sandbox protection mechanism and gain privileges via a crafted web site that is accessed with Internet Explorer, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Microsoft Office Elevation of Privilege Vulnerability."

Credit: secure@microsoft.com

Affected SoftwareAffected VersionHow to fix
Microsoft Access 2010=2007-sp3
Microsoft Access 2010=2010-sp2
Microsoft Access 2010=2013-sp1
Microsoft Access 2010=2016
Microsoft Office Excel=2007-sp3
Microsoft Office Excel=2010-sp2
Microsoft Office Excel=2010-sp2
Microsoft Office Excel=2013-sp1
Microsoft Office Excel=2013-sp1
Microsoft Office Excel=2016
Microsoft InfoPath 2016=2007-sp3
Microsoft InfoPath 2016=2010-sp2
Microsoft InfoPath 2016=2013-sp1
Microsoft Lync Server=2013-sp1
Microsoft Office=sp3
Microsoft OneNote 2010=2007-sp3
Microsoft OneNote 2010=2010-sp2
Microsoft OneNote 2010=2013-sp1
Microsoft OneNote 2010=2013-sp1
Microsoft OneNote 2010=2016
Microsoft Pinyin IME=2010
Microsoft PowerPoint 2010=2007-sp3
Microsoft PowerPoint 2010=2010-sp2
Microsoft PowerPoint 2010=2013-sp1
Microsoft PowerPoint 2010=2013-sp1
Microsoft PowerPoint 2010=2016
Microsoft Project 2013=2007-sp3
Microsoft Project 2013=2016
Microsoft Project Server=2010-sp2
Microsoft Project Server=2013-sp1
Microsoft Publisher 2010=2007-sp3
Microsoft Publisher 2010=2010-sp2
Microsoft Publisher 2010=2013-sp1
Microsoft Publisher 2010=2016
Microsoft Skype for Business=2016
Microsoft Visio Standard=2007-sp3
Microsoft Visio Standard=2010-sp2
Microsoft Visio Standard=2013-sp1
Microsoft Visio Standard=2016
Microsoft Office Word=2007-sp3
Microsoft Office Word=2010-sp2
Microsoft Office Word=2013-sp1
Microsoft Office Word=2013-sp1
Microsoft Office Word=2016

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2015-2503?

    CVE-2015-2503 is considered a critical vulnerability due to its potential for exploitation.

  • How do I fix CVE-2015-2503?

    To fix CVE-2015-2503, ensure that you have the latest security updates installed for the affected Microsoft Office products.

  • What software versions are affected by CVE-2015-2503?

    CVE-2015-2503 affects several Microsoft Office products, including Access 2007 and 2010, Excel 2007 and 2010, and others across various versions.

  • Can CVE-2015-2503 lead to unauthorized access?

    Yes, CVE-2015-2503 can allow attackers to execute arbitrary code, potentially granting unauthorized access to sensitive data.

  • Is there a workaround for CVE-2015-2503?

    A practical workaround for CVE-2015-2503 involves disabling macros in Office applications until the software is updated.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203