|
Description
|
|
Multiple vulnerabilities have been reported in Microsoft Exchange Server 2013, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to conduct cross-site scripting attacks.
1) Certain input related to OWA Modified Canary Parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Certain input related to ExchangeDLP is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
3) Certain input related to Audit Report is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
4) Certain input related to Exchange Error Message is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
5) An error when handling meetings can be exploited to perform otherwise restricted scheduling or modification of meetings as another user.
|
|
|
|
|
|
Vulnerable Products
|
|
Vulnerable Software:
Microsoft Exchange Server 2013
|
|
|
|
|
|
Solution
|
|
Apply update.Microsoft Exchange Server 2013 Service Pack 1:https://www.microsoft.com/downloads/details.aspx?FamilyID=9c5d23a7-3690-4b39-848a-821060cf9ad2Microsoft Exchange Server 2013 Cumulative Update 7:https://www.microsoft.com/downloads/details.aspx?FamilyID=0d560449-71d3-4f56-91ad-1b7f2a12c45b
|
|
|
|
|
|
CVE
|
|
CVE-2015-1632
CVE-2015-1631
CVE-2015-1630
CVE-2015-1629
CVE-2015-1628
|
|
|
|
|
|
References
|
|
Microsoft (KB3040856):
https://technet.microsoft.com/library/security/MS15-026
|
|
|
|
|
|
Vulnerability Manager Detection
|
|
No
|
|
|
|
|
|
IPS Protection
|
|
|
|
|
|
|
