Описание
Microsoft Exchange Information Disclosure Vulnerability
An email filter bypass exists in the way that Microsoft Exchange parses HTML messages that could allow information disclosure. An attacker who successfully exploited the vulnerability could identify, fingerprint, and track a user online if the user views email messages using Outlook Web Access (OWA). An attacker could also combine this vulnerability with another one, such as a Cross-Site Request Forgery (CSRF), to amplify the attack.
To exploit the vulnerability, an attacker could include specially crafted image URLs in OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.
The update corrects the way that Exchange parses HTML messages.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Exchange Server 2013 Service Pack 1 | ||
| Microsoft Exchange Server 2013 Cumulative Update 11 | ||
| Microsoft Exchange Server 2016 | ||
| Microsoft Exchange Server 2013 Cumulative Update 12 | ||
| Microsoft Exchange Server 2016 Cumulative Update 1 |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
DOS
EPSS
Связанные уязвимости
Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, and Cumulative Update 12 and 2016 Gold and Cumulative Update 1 does not properly restrict loading of IMG elements, which makes it easier for remote attackers to track users via a crafted HTML e-mail message, aka "Microsoft Exchange Information Disclosure Vulnerability."
Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, and Cumulative Update 12 and 2016 Gold and Cumulative Update 1 does not properly restrict loading of IMG elements, which makes it easier for remote attackers to track users via a crafted HTML e-mail message, aka "Microsoft Exchange Information Disclosure Vulnerability."
EPSS