CVE-2023-36893: 
vulnerability analysis and mitigation

Microsoft Outlook Spoofing Vulnerability (CVE-2023-36893) was disclosed on August 8, 2023. This vulnerability affects multiple versions of Microsoft Outlook including Microsoft 365 Apps, Office 2019, Office LTSC 2021, and Outlook 2013 SP1 (NVD CVE).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-20 (Improper Input Validation) (NVD CVE).

When exploited, this vulnerability affects how Outlook handles received meeting items from any sender (internal or external). After the security update, received meetings become read-only for recipients, preventing changes to the meeting body or file attachments. Additionally, images stored on network paths (UNC shares, file shares) or external URLs are blocked (Microsoft Support).

Microsoft has released security updates to address this vulnerability. For Microsoft 365 users, a new Edit Meeting button functionality has been implemented starting with Current Channel Version 2311 Build 17029.20068. This feature will be available in Monthly Enterprise Channel on January 9th and Semi-Annual Enterprise Channel (Preview) on December 12th. The feature is only available for Microsoft 365 subscription and will not be ported to Office 2021, Office 2019, or Office 2016. Users can add the Edit Meeting button to either the Quick Access Toolbar or the Ribbon for functionality (Microsoft Support).