2015-06-09 This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if an authenticated user clicks a link to a specially crafted webpage. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message.
Vulnerabilities addressed in this bulletin:
Exchange Server-Side Request Forgery Vulnerability
An information disclosure vulnerability exists in Microsoft Exchange web applications when Exchange does not properly manage same-origin policy.
CVE-2015-1764
Exchange Cross-Site Request Forgery Vulnerability
An elevation of privilege vulnerability exists in Microsoft Exchange web applications when Exchange does not properly manage user sessions. For this Cross-site Request Forgery(CSRF/XSRF) vulnerability to be exploited, the victim must be authenticated to (logged on) the target site.
CVE-2015-1771
Exchange HTML Injection Vulnerability
An information disclosure vulnerability exists in Microsoft Exchange web applications when Exchange does not properly sanitize HTML strings.
CVE-2015-2359

Bulletin details at Microsoft.com

Related CVE Entries

The web applications in Microsoft Exchange Server 2013 SP1 and Cumulative Update 8 allow remote attackers to bypass the Same Origin Policy and send HTTP traffic to intranet servers via a crafted request, related to a Server-Side Request Forgery (SSRF) issue, aka "Exchange Server-Side Request Forgery Vulnerability."
Max CVSS
4.3
EPSS Score
0.43%
Published
2015-06-10
Updated
2018-10-12
Cross-site request forgery (CSRF) vulnerability in the web applications in Microsoft Exchange Server 2013 SP1 and Cumulative Update 8 allows remote attackers to hijack the authentication of arbitrary users, aka "Exchange Cross-Site Request Forgery Vulnerability."
Max CVSS
6.8
EPSS Score
0.39%
Published
2015-06-10
Updated
2018-10-12
Cross-site scripting (XSS) vulnerability in the web applications in Microsoft Exchange Server 2013 Cumulative Update 8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Exchange HTML Injection Vulnerability."
Max CVSS
4.3
EPSS Score
1.22%
Published
2015-06-10
Updated
2018-10-12
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!