External control of a file name or path allows an unauthorized attacker to execute code over a network.

Microsoft released patches for at least 66 security defects across the Windows ecosystem and called urgent attention to a WebDAV remote code execution bug. The bug allows browser-based drive-by downloads if a target clicks on a rigged website. Microsoft has not disclosed who is abusing the software defect or whether exploitation is widespread.

Read more:

https://www.securityweek.com/microsoft-patch-tuesday-covers-webdav-flaw-marked-as-already-exploited/