CVE-2019-1137

CWE-79 — Cross-site Scripting (XSS)4 documents4 sources

Severity

5.4MEDIUM

EPSS

0.7%

top 28.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Microsoft Exchange Server 2013 Microsoft Microsoft Exchange Server 2016 Microsoft Microsoft Exchange Server 2019 +1 more

Timeline

PublishedJul 15

Latest updateMay 24

Description

A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server, aka 'Microsoft Exchange Server Spoofing Vulnerability'.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages4 packages

▶NVDmicrosoft/exchange_server2013, 2016, 2019+2

▶CVEListV5microsoft/microsoft_exchange_server_2013Cumulative Update 23

▶CVEListV5microsoft/microsoft_exchange_server_2016Cumulative Update 12, Cumulative Update 13+1

▶CVEListV5microsoft/microsoft_exchange_server_2019Cumulative Update 1, Cumulative Update 2+1

Patches

Patch: portal.msrc.microsoft.com ↗Patch: portal.msrc.microsoft.com ↗

🔴Vulnerability Details

GHSA

GHSA-627q-5fv4-r68q: A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affe↗2022-05-24

▶

CVEList

CVE-2019-1137: A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affe↗2019-07-29

▶

📋Vendor Advisories

Microsoft

Microsoft Exchange Server Spoofing Vulnerability↗2019-07-09

▶