CVE-2018-16793 — Server-Side Request Forgery in Microsoft Exchange Server

CWE-918 — Server-Side Request Forgery3 documents3 sources

Severity

8.6HIGHNVD

EPSS

2.1%

top 16.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Exchange Server

Timeline

PublishedSep 21

Latest updateMay 14

Description

Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parameter in /owa/auth/logon.aspx in the OWA (Outlook Web Access) login page.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:NExploitability: 3.9 | Impact: 4.0

Affected Packages1 packages

▶NVDmicrosoft/exchange_server2010

🔴Vulnerability Details

GHSA

GHSA-rghf-wr3j-2757: Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parameter in /owa/auth/logon↗2022-05-14

▶

CVEList

CVE-2018-16793: Rollup 18 for Microsoft Exchange Server 2010 SP3 and previous versions has an SSRF vulnerability via the username parameter in /owa/auth/logon↗2018-09-21

▶