CVE Tools
Sign in

CVE-2015-2503

Published: Nov 11, 2015Updated: May 6, 2026 Sources: CVE List NVD BDUCWE-264
NVD MITRE
9.3CVSSCRITICAL
EPSS Score
16.8%
Top 3.4%
CISA KEV
Not in KEV
Exploits
No Known Exploits
Remediation
Patch Available

Description

Microsoft Access 2007 SP3, Excel 2007 SP3, InfoPath 2007 SP3, OneNote 2007 SP3, PowerPoint 2007 SP3, Project 2007 SP3, Publisher 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2007 IME (Japanese) SP3, Access 2010 SP2, Excel 2010 SP2, InfoPath 2010 SP2, OneNote 2010 SP2, PowerPoint 2010 SP2, Project 2010 SP2, Publisher 2010 SP2, Visio 2010 SP2, Word 2010 SP2, Pinyin IME 2010, Access 2013 SP1, Excel 2013 SP1, InfoPath 2013 SP1, OneNote 2013 SP1, PowerPoint 2013 SP1, Project 2013 SP1, Publisher 2013 SP1, Visio 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, OneNote 2013 RT SP1, PowerPoint 2013 RT SP1, Word 2013 RT SP1, Access 2016, Excel 2016, OneNote 2016, PowerPoint 2016, Project 2016, Publisher 2016, Visio 2016, Word 2016, Skype for Business 2016, and Lync 2013 SP1 allow remote attackers to bypass a sandbox protection mechanism and gain privileges via a crafted web site that is accessed with Internet Explorer, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Microsoft Office Elevation of Privilege Vulnerability."

CVSS Vector Breakdown

AV:NAC:MAu:NC:CI:CA:C
Exploitability
AV:NAccess Vector
Network
AC:MAccess Complexity
Medium
Au:NAuthentication
None
Impact
C:CConfidentiality
Complete
I:CIntegrity
Complete
A:CAvailability
Complete
Open in CVSS calculator →

Weaknesses

CWE-264

Affected Products

accessmicrosoft
On-premDesktop App
Consumer Software / productivity
excelmicrosoft
Desktop App
Consumer Software / productivity
infopathmicrosoft
On-prem
Operating Systems / windows
lyncmicrosoft
On-premWeb App
Communications / messaging-chat
office 2007 imemicrosoft
On-prem
Operating Systems / windows
microsoftcommercialUSOperating Systems
and 36 more affected products View all →

Exploitability

Official Patch Available

References

http://www.securitytracker.com/id/1034117
securitytracker.com
http://www.securitytracker.com/id/1034119
securitytracker.com
http://www.securitytracker.com/id/1034122
securitytracker.com
and 2 more references View all →

Timeline

Published
Nov 11, 2015
Last Updated
May 6, 2026

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2015-2503 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows