OnlyFm252
Microsoft Exchange Server

CVE-2019-0588 — Microsoft Exchange Information Disclosure Vulnerability

Important EPSS 0.04626 2019-01 archive

Executive Summary

An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended. To exploit this vulnerability, an attacker would need to be granted contributor access to an Exchange Calendar by an administrator via PowerShell. The attacker would then be able to view additional details about the calendar that would normally be hidden. The security update addresses the vulnerability by modifying how the Exchange PowerShell API grants permissions to contributors.

Overview

Important
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
Category Information Disclosure
Released Jan 8 2019
Last Updated Jan 8 2019
Publicly Disclosed No
CISA KEV Not Listed
Known Exploits None Known
EPSS Score 0.04626 — 0.90512 percentile

EPSS Score

0.04626
probability of exploitation in the next 30 days
0.90512 percentile - updated 2026-06-20
View on FIRST.org

Affected Products

5 affected products
Product KB Article Severity Impact Restart Required
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 25 4468742 (Security Update) Important Information Disclosure Maybe
Microsoft Exchange Server 2013 Cumulative Update 21 4471389 (Security Update) Important Information Disclosure Maybe
Microsoft Exchange Server 2016 Cumulative Update 10 4471389 (Security Update) Important Information Disclosure Maybe
Microsoft Exchange Server 2016 Cumulative Update 11 4471389 (Security Update) Important Information Disclosure Maybe
Microsoft Exchange Server 2019 4471389 (Security Update) Important Information Disclosure Maybe

Patches

2 patches
Article Type Restart
4468742 Security Update Maybe
4471389 Security Update Maybe

Known Exploits

Acknowledgments

Cameron Vincent

On This Page