Описание
Outlook on the web Cross-Site Scripting Vulnerability
A cross-site scripting vulnerability has been discovered that affects Outlook on the web (formerly known as Outlook Web App) on-premise deployments. To exploit this vulnerability, an attacker must send a victim an email containing custom HTML content. The victim must then drag and drop an image that was included in the email into a new browser tab. Alternatively, a victim could paste the URL of the image into a new browser tab. The vulnerability requires that the image be sent in SVG format.
Microsoft is addressing this vulnerability by recommending that administrators for Outlook on the web block SVG images. See the Mitigations section for instructions.
Меры по смягчению последствий
Because the vulnerability can only be exploited by sending images in SVG format, we recommend that administrators for Outlook on the web block SVG images. This can be accomplished via the Set-OwaMailboxPolicy command, as documented at the following link:
For example, to update BlockedFileTypes and BlockedMimeTypes properties, run the following PowerShell commands on the affected Exchange server:
- $policy = get-owamailboxpolicy <POLICYNAME>
- $policy.BlockedFileTypes.Add(".svg")
- $policy.BlockedMimeTypes.Add("image/svg+xml")
- Set-OwaMailboxPolicy $policy.Identity -BlockedFileTypes $policy.BlockedFileTypes -BlockedMimeTypes $policy.BlockedMimeTypes
If there are multiple policies, all policies should be updated.
Возможность эксплуатации
Publicly Disclosed
Exploited
DOS