#Security Vulnerability

Improper access control in Azure Virtual Machines allows an authorized attacker to perform spoofing locally.

**According to the CVSS metric, successful exploitation of this vulnerability could lead to some loss of integrity (I:L)? What does that mean for this vulnerability?** The attacker is only able to modify the content of the vulnerable link to redirect the victim to a malicious site.

Heap-based buffer overflow in Microsoft Teams allows an unauthorized attacker to execute code over a network.

**According to the CVSS metric, privileges required is high (PR:H). What does that mean for this vulnerability?** To successfully exploit this vulnerability, an attacker would need to have elevated access to certain attributes of the dMSA, specifically: * msds-groupMSAMembership: This attribute allows the user to utilize the dMSA. * msds-ManagedAccountPrecededByLink: The attacker needs write access to this attribute, which allows them to specify a user that the dMSA can act on behalf of.

Access of resource using incompatible type ('type confusion') in Windows Push Notifications allows an authorized attacker to elevate privileges locally.

Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network.

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** A race condition is triggered when the admin begins administering from the host system and not a guest or nested guest.

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** The attacker would gain the rights of the user that is running the affected application.

User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network.