CVE-2023-36805: 
vulnerability analysis and mitigation

Windows MSHTML Platform Security Feature Bypass Vulnerability, identified as CVE-2023-36805, was discovered and reported to Microsoft on June 1, 2023. The vulnerability affects multiple versions of Microsoft Windows, including Windows 10, Windows 11, and various Windows Server editions. This security issue was officially assigned a CVE ID on June 27, 2023 (CVE Mitre).

The vulnerability exists within the processing of certain image file types that can load scripts. Microsoft has assigned this vulnerability a CVSS v3.1 base score of 7.0 (HIGH) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The specific flaw is related to improper neutralization of special elements used in a command (Command Injection), classified under CWE-77 (NVD).

Under limited circumstances, crafted data in an image can lead to execution of untrusted script, allowing attackers to execute arbitrary code on affected installations of Microsoft Windows. The vulnerability can be leveraged to execute code in the context of the current process (ZDI).

Microsoft has released security updates to address this vulnerability. Users are advised to apply the latest security patches available through the Microsoft Update system (Microsoft Advisory).