Moderate 📢 Publicly disclosed 2018-03 archive

Executive Summary

An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly sanitize links presented to users. An attacker who successfully exploited this vulnerability could override the OWA interface with a fake login page and attempt to trick the user into disclosing sensitive information. To exploit the vulnerability, an attacker could send a specially crafted email message containing a malicious link to a user. The user would have to click the malicious link in order to be susceptible to the vulnerability. The security update addresses the vulnerability by correcting how Microsoft Exchange rewrites links presented within the body of emails.

Overview

Moderate
MS Severity
Not Exploited
MS Exploit Status
Exploitation Unlikely
MS Exploit Likelihood
Category Elevation of Privilege
Released Mar 13 2018
Last Updated Mar 13 2018
Publicly Disclosed Yes
CISA KEV Not Listed
Known Exploits None Known

EPSS Score

No EPSS score available for this CVE.

View on FIRST.org

Affected Products

6 affected products
Product KB Article Severity Impact Restart Required
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 20 4073537 (Security Update) Important Elevation of Privilege Maybe
Microsoft Exchange Server 2013 Cumulative Update 18 4073392 (Security Update) Moderate Elevation of Privilege Maybe
Microsoft Exchange Server 2013 Cumulative Update 19 4073392 (Security Update) Moderate Elevation of Privilege Maybe
Microsoft Exchange Server 2013 Service Pack 1 4073392 (Security Update) Moderate Elevation of Privilege Maybe
Microsoft Exchange Server 2016 Cumulative Update 7 4073392 (Security Update) Moderate Elevation of Privilege Maybe
Microsoft Exchange Server 2016 Cumulative Update 8 4073392 (Security Update) Moderate Elevation of Privilege Maybe

Patches

2 patches
Article Type Restart
4073537 Security Update Maybe
4073392 Security Update Maybe

Known Exploits

Acknowledgments