cbcvebase.
CVE-2019-1137
published 2019-07-15

CVE-2019-1137: A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected…

PriorityP426medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
1.58%
72.5th percentile
A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server, aka 'Microsoft Exchange Server Spoofing Vulnerability'.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
microsoftexchange_server
microsoftexchange_server
microsoftexchange_server
microsoftmicrosoft_exchange_server_2013
microsoftmicrosoft_exchange_server_2016
microsoftmicrosoft_exchange_server_2016
microsoftmicrosoft_exchange_server_2019
microsoftmicrosoft_exchange_server_2019
msrcmicrosoft_exchange_server_2010_service_pack_3
msrcmicrosoft_exchange_server_2013_cumulative_update_21
msrcmicrosoft_exchange_server_2013_cumulative_update_22
msrcmicrosoft_exchange_server_2013_cumulative_update_23
msrcmicrosoft_exchange_server_2013_service_pack_1
msrcmicrosoft_exchange_server_2016_cumulative_update_10
msrcmicrosoft_exchange_server_2016_cumulative_update_11
msrcmicrosoft_exchange_server_2016_cumulative_update_12
msrcmicrosoft_exchange_server_2016_cumulative_update_13
msrcmicrosoft_exchange_server_2016_cumulative_update_14
msrcmicrosoft_exchange_server_2016_cumulative_update_15
msrcmicrosoft_exchange_server_2016_cumulative_update_16
msrcmicrosoft_exchange_server_2016_cumulative_update_17
msrcmicrosoft_exchange_server_2016_cumulative_update_18
msrcmicrosoft_exchange_server_2016_cumulative_update_19
msrcmicrosoft_exchange_server_2016_cumulative_update_8
msrcmicrosoft_exchange_server_2016_cumulative_update_9

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
vendor_msrc9.1CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.