#microsoft

**According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is required (UI:R). What is the target context of the remote code execution?** This attack requires a client to connect to a malicious server, and that could allow the attacker to gain code execution on the client.

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**Is the Preview Pane an attack vector for this vulnerability?** Yes, the Preview Pane is an attack vector.

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**According to the CVSS metric, the attack vector is adjacent (AV:A) and privileges required are low (PR:L). What does that mean for this vulnerability?** Multiple networking topologies are available to connect High Performance Compute (HPC) resources which are reliant upon intra-nets or private networks and do not expose HPC resources to the public internet regardless of implementation. An attacker must have access to the network connecting the targeted clusters and nodes (PR:L) and must send a specially crafted HTTPS request to the head node (AV:A) to successfully exploit this vulnerability. For more information on how HPC resources can be connected, please reference this documentation regarding Understanding HPC Cluster Network Topologies.

**Why is this HackerOne CVE included in the Security Update Guide?** The vulnerability assigned to this CVE is in Node.js software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of Visual Studio are no longer vulnerable. Please see Security Update Guide Supports CVEs Assigned by Industry Partners for more information.

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires multiple conditions to be met, such as specific application behavior, user actions, manipulation of parameters passed to a function, and impersonation of an integrity level token.

**According to the CVSS metric, Integrity (I:L) is Low. What does that mean for this vulnerability?** An attacker's message can inherit the sender's email address from another message in the UI. The attacker cannot control which message it inherits from. This issue occurs exclusively for messages in the Junk folder, as it is the only folder where the app displays the sender's email address. The attacker cannot affect confidentiality or availability.