CVE-2016-0028 — Sensitive Information Exposure in Microsoft Exchange Server 2013 Cumulative Update 11

CWE-200 — Sensitive Information Exposure5 documents4 sources

Severity

5.5MEDIUMNVD

EPSS

21.1%

top 4.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Msrc Microsoft Exchange Server 2013 Cumulative Update 11 Msrc Microsoft Exchange Server 2013 Cumulative Update 12 Msrc Microsoft Exchange Server 2013 Service Pack 1 +2 more

Timeline

PublishedJun 16

Latest updateMay 14

Description

Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, and Cumulative Update 12 and 2016 Gold and Cumulative Update 1 does not properly restrict loading of IMG elements, which makes it easier for remote attackers to track users via a crafted HTML e-mail message, aka "Microsoft Exchange Information Disclosure Vulnerability."

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages5 packages

▶msrcmsrc/microsoft_exchange_server_2016_cumulative_update_1

▶msrcmsrc/microsoft_exchange_server_2013_cumulative_update_11

▶msrcmsrc/microsoft_exchange_server_2013_cumulative_update_12

▶msrcmsrc/microsoft_exchange_server_2016

▶msrcmsrc/microsoft_exchange_server_2013_service_pack_1

🔴Vulnerability Details

GHSA

GHSA-4r6v-fffh-m6fx: Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, and Cumulative Update 12 and 2016 Gold and Cumulative Update 1 d↗2022-05-14

▶

📋Vendor Advisories

Microsoft

Microsoft Exchange Information Disclosure Vulnerability↗2016-06-14

▶

🕵️Threat Intelligence

Talos

Microsoft Patch Tuesday - June 2016↗2016-06-14

▶

Talos

Microsoft Patch Tuesday - June 2016↗2016-06-14

▶