Microsoft Exchange Server vulnerabilities
207 known vulnerabilities affecting microsoft/exchange_server.
Total CVEs
207
CISA KEV
19
actively exploited
Public exploits
28
Exploited in wild
19
Severity breakdown
CRITICAL24HIGH84MEDIUM93LOW6
Vulnerabilities
Page 7 of 11
CVE-2017-8540HIGHCVSS 7.8KEVPoCv2013v20162017-05-26
CVE-2017-8540 [HIGH] CVE-2017-8540: The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Mic
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially cra
nvd
CVE-2017-8537MEDIUMCVSS 5.5PoCv2013v20162017-05-26
CVE-2017-8537 [MEDIUM] CVE-2017-8537: The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Mic
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially c
nvd
CVE-2017-8536MEDIUMCVSS 5.5PoCv2013v20162017-05-26
CVE-2017-8536 [MEDIUM] CVE-2017-8536: The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Mic
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially c
nvd
CVE-2017-8535MEDIUMCVSS 5.5PoCv2013v20162017-05-26
CVE-2017-8535 [MEDIUM] CWE-119 CVE-2017-8535: The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Mic
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a spe
nvd
CVE-2017-0110MEDIUMCVSS 6.1v20132017-03-17
CVE-2017-0110 [MEDIUM] CWE-79 CVE-2017-0110: Cross-site scripting (XSS) vulnerability in Microsoft Exchange Outlook Web Access (OWA) allows remot
Cross-site scripting (XSS) vulnerability in Microsoft Exchange Outlook Web Access (OWA) allows remote attackers to inject arbitrary web script or HTML via a crafted email or chat client, aka "Microsoft Exchange Server Elevation of Privilege Vulnerability."
nvd
CVE-2016-3378HIGHCVSS 7.4v2013v20162016-09-14
CVE-2016-3378 [HIGH] CWE-20 CVE-2016-3378: Open redirect vulnerability in Microsoft Exchange Server 2013 SP1, 2013 Cumulative Update 12, 2013 C
Open redirect vulnerability in Microsoft Exchange Server 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumulative Update 2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL, aka "Microsoft Exchange Open Redirect Vulnerability."
nvd
CVE-2016-0138MEDIUMCVSS 4.3v2007v2010+2 more2016-09-14
CVE-2016-0138 [MEDIUM] CWE-200 CVE-2016-0138: Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative U
Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumulative Update 2 misparses e-mail messages, which allows remote authenticated users to obtain sensitive Outlook application information by leveraging the Send As right, aka "Microsoft Exchange Information
nvd
CVE-2016-3379MEDIUMCVSS 6.1v20162016-09-14
CVE-2016-3379 [MEDIUM] CWE-79 CVE-2016-3379: Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2016 Cumulative Update 1 and 2
Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2016 Cumulative Update 1 and 2 allows remote attackers to inject arbitrary web script or HTML via a meeting-invitation request, aka "Microsoft Exchange Elevation of Privilege Vulnerability."
nvd
CVE-2016-0031MEDIUMCVSS 6.1v20162016-01-13
CVE-2016-0031 [MEDIUM] CVE-2016-0031: Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 20
Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2016 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Exchange Spoofing Vulnerability," a different vulnerability than CVE-2016-0029.
nvd
CVE-2016-0032MEDIUMCVSS 6.1v2013v20162016-01-13
CVE-2016-0032 [MEDIUM] CWE-79 CVE-2016-0032: Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 20
Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2013 PS1, 2013 Cumulative Update 10, 2013 Cumulative Update 11, and 2016 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Exchange Spoofing Vulnerability."
nvd
CVE-2016-0029MEDIUMCVSS 6.1v20162016-01-13
CVE-2016-0029 [MEDIUM] CWE-79 CVE-2016-0029: Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 20
Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2016 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Exchange Spoofing Vulnerability," a different vulnerability than CVE-2016-0031.
nvd
CVE-2016-0030MEDIUMCVSS 6.1v2013v20162016-01-13
CVE-2016-0030 [MEDIUM] CWE-79 CVE-2016-0030: Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 20
Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2013 PS1, 2013 Cumulative Update 10, and 2016 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Exchange Spoofing Vulnerability."
nvd
CVE-2015-2544MEDIUMCVSS 4.3v20132015-09-09
CVE-2015-2544 [MEDIUM] CWE-79 CVE-2015-2544: Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 20
Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2013 Cumulative Update 8 and 9 and SP1 allows remote attackers to inject arbitrary web script or HTML via a crafted e-mail message, aka "Exchange Spoofing Vulnerability."
nvd
CVE-2015-2543MEDIUMCVSS 4.3v20132015-09-09
CVE-2015-2543 [MEDIUM] CWE-79 CVE-2015-2543: Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 20
Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2013 Cumulative Update 8 and 9 allows remote attackers to inject arbitrary web script or HTML via a crafted e-mail message, aka "Exchange Spoofing Vulnerability."
nvd
CVE-2015-2505MEDIUMCVSS 5.0v20132015-09-09
CVE-2015-2505 [MEDIUM] CWE-200 CVE-2015-2505: Outlook Web Access (OWA) in Microsoft Exchange Server 2013 Cumulative Update 8 and 9 and SP1 allows
Outlook Web Access (OWA) in Microsoft Exchange Server 2013 Cumulative Update 8 and 9 and SP1 allows remote attackers to obtain sensitive stacktrace information via a crafted request, aka "Exchange Information Disclosure Vulnerability."
nvd
CVE-2015-2359MEDIUMCVSS 4.3v20132015-06-10
CVE-2015-2359 [MEDIUM] CWE-79 CVE-2015-2359: Cross-site scripting (XSS) vulnerability in the web applications in Microsoft Exchange Server 2013 C
Cross-site scripting (XSS) vulnerability in the web applications in Microsoft Exchange Server 2013 Cumulative Update 8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Exchange HTML Injection Vulnerability."
nvd
CVE-2015-1771MEDIUMCVSS 6.8v20132015-06-10
CVE-2015-1771 [MEDIUM] CWE-352 CVE-2015-1771: Cross-site request forgery (CSRF) vulnerability in the web applications in Microsoft Exchange Server
Cross-site request forgery (CSRF) vulnerability in the web applications in Microsoft Exchange Server 2013 SP1 and Cumulative Update 8 allows remote attackers to hijack the authentication of arbitrary users, aka "Exchange Cross-Site Request Forgery Vulnerability."
nvd
CVE-2015-1764MEDIUMCVSS 4.3v20132015-06-10
CVE-2015-1764 [MEDIUM] CVE-2015-1764: The web applications in Microsoft Exchange Server 2013 SP1 and Cumulative Update 8 allow remote atta
The web applications in Microsoft Exchange Server 2013 SP1 and Cumulative Update 8 allow remote attackers to bypass the Same Origin Policy and send HTTP traffic to intranet servers via a crafted request, related to a Server-Side Request Forgery (SSRF) issue, aka "Exchange Server-Side Request Forgery Vulnerability."
nvd
CVE-2015-1628MEDIUMCVSS 4.3v20132015-03-11
CVE-2015-1628 [MEDIUM] CWE-79 CVE-2015-1628: Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in Microsoft Exchange Server 2013
Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via a crafted X-OWA-Canary cookie in an AD.RecipientType.User action, aka "OWA Modified Canary Parameter Cross Site Scripting Vulnerability."
nvd
CVE-2015-1632MEDIUMCVSS 4.3v20132015-03-11
CVE-2015-1632 [MEDIUM] CWE-79 CVE-2015-1632: Cross-site scripting (XSS) vulnerability in errorfe.aspx in Outlook Web App (OWA) in Microsoft Excha
Cross-site scripting (XSS) vulnerability in errorfe.aspx in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via the msgParam parameter in an authError action, aka "Exchange Error Message Cross Site Scripting Vulnerability."
nvd