Important 2018-10 archive

Executive Summary

An elevation of privilege vulnerability exists when Microsoft Exchange Outlook Web Access (OWA) fails to properly handle web requests. An attacker who successfully exploited this vulnerability could perform script/content injection attacks and attempt to trick the user into disclosing sensitive information. To exploit the vulnerability, an attacker could send a specially crafted email message containing a malicious link to a user. Alternatively, an attacker could use a chat client to social engineer a user into clicking the malicious link. The security update addresses the vulnerability by correcting how Microsoft Exchange validates web requests. Note: In order to exploit this vulnerability, a user must click a maliciously crafted link from an attacker.

Overview

Important
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
Category Elevation of Privilege
Released Oct 9 2018
Last Updated Oct 9 2018
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known

EPSS Score

No EPSS score available for this CVE.

View on FIRST.org

Affected Products

2 affected products
Product KB Article Severity Impact Restart Required
Microsoft Exchange Server 2013 Cumulative Update 21 4459266 (Security Update) Important Elevation of Privilege Maybe
Microsoft Exchange Server 2016 Cumulative Update 10 4459266 (Security Update) Important Elevation of Privilege Maybe

Patches

1 patch
Article Type Restart
4459266 Security Update Maybe

Known Exploits

Acknowledgments

Adrian Ivascu