Microsoft Exchange Server
ADV190021 — Outlook on the web Cross-Site Scripting Vulnerability
Important
2019-07 archive
Executive Summary
A cross-site scripting vulnerability has been discovered that affects Outlook on the web (formerly known as Outlook Web App) on-premise deployments. To exploit this vulnerability, an attacker must send a victim an email containing custom HTML content. The victim must then drag and drop an image that was included in the email into a new browser tab. Alternatively, a victim could paste the URL of the image into a new browser tab. The vulnerability requires that the image be sent in SVG format. Microsoft is addressing this vulnerability by recommending that administrators for Outlook on the web block SVG images. See the Mitigations section for instructions.
Overview
Important
MS Severity
Not Exploited
MS Exploit Status
Not Found
MS Exploit Likelihood
EPSS Score
No EPSS score available for this CVE.
View on FIRST.orgAffected Products
4 affected products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Microsoft Exchange Server 2010 Service Pack 3 | — |
Important | Spoofing | Unknown |
| Microsoft Exchange Server 2013 | — |
Important | Spoofing | Unknown |
| Microsoft Exchange Server 2016 | — |
Important | Spoofing | Unknown |
| Microsoft Exchange Server 2019 | — |
Important | Spoofing | Unknown |
Patches
1 patch
| Article | Type | Restart |
|---|---|---|
— |
Unknown |
Known Exploits
No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.
Acknowledgments
Abdulrahman Al-Qabandi
References
On This Page