#vulnerability

**What privileges could be gained by an attacker who successfully exploited this vulnerability?** An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

**What privileges could be gained by an attacker who successfully exploited this vulnerability?** An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

**How could an attacker exploit this vulnerability?** An attacker with access to any user account assigned the built-in CMPivot Administrator security role could exploit this vulnerability by escalating privileges. Specifically, they could assign themselves—or another account—the Full Administrator role (or any other elevated role), or modify existing role permissions. This would allow them to bypass intended security boundaries and gain unrestricted access across the hierarchy.

**According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to win a race condition.

**What privileges could be gained by an attacker who successfully exploited this vulnerability?** An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Exposure of sensitive information to an unauthorized actor in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.

Heap-based buffer overflow in Windows OLE allows an unauthorized attacker to execute code locally.

**Is the Preview Pane an attack vector for this vulnerability?** No, the Preview Pane is not an attack vector.

Improper neutralization of input during web page generation ('cross-site scripting') in Dynamics 365 Field Service (online) allows an authorized attacker to perform spoofing over a network.

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.