#Security Vulnerability

**Is the Preview Pane an attack vector for this vulnerability?** Yes, the Preview Pane is an attack vector.

**According to the CVSS metric, the attack vector is local (AV:L), privileges are required (PR:L) and user interaction is required (UI:R). How could an attacker exploit this security feature bypass vulnerability?** The attack itself is carried out locally by a user with authentication to the targeted system. An authenticated attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim computer.

**According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of availability (A:H)? What does that mean for this vulnerability?** An attacker could impact availability of the service resulting in "denial of service"\[DOS\].

**What type of information could be disclosed by this vulnerability?** An attacker who successfully exploited the vulnerability could potentially read User Mode Service Memory.

**According to the CVSS metric, privileges required is high (PR:H). What privileges are needed by the attacker and how are they used in the context of the remote code execution?** To successfully exploit this vulnerability, the attacker must have EdgeUser access. The EdgeUser is the core user used to perform management operations on the DBG device. They can perform actions like modifying network settings, configuring web proxy, configure cloud connectivity, shutdown/restart the appliance and trigger DBG updates via side-load mechanism and even factory reset the appliance (factory reset is an operation which wipes existing data and brings the appliance to a factory default state).

**How could an attacker exploit this vulnerability?** An authenticated attacker could attack a Microsoft Protected Extensible Authentication Protocol (PEAP) Server by sending specially crafted malicious PEAP packets over the network.

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** The attacker must be authenticated to the target site, with the permission to use Manage Lists within SharePoint.

**What type of information could be disclosed by this vulnerability?** An attacker who successfully exploited this vulnerability could view heap memory from a privileged process running on the server.

**According to the CVSS metric, privileges required is low (PR:L). What does that mean for this vulnerability?** Any authenticated attacker could trigger this vulnerability. It does not require admin or other elevated privileges.

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.