MS15-064 Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege
2015-06-09 This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow elevation of privilege if an authenticated user clicks a link to a specially crafted webpage. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message.
Vulnerabilities addressed in this bulletin:
Bulletin details at Microsoft.com
Vulnerabilities addressed in this bulletin:
- Exchange Server-Side Request Forgery Vulnerability
- An information disclosure vulnerability exists in Microsoft Exchange web applications when Exchange does not properly manage same-origin policy.
CVE-2015-1764 - Exchange Cross-Site Request Forgery Vulnerability
- An elevation of privilege vulnerability exists in Microsoft Exchange web applications when Exchange does not properly manage user sessions. For this Cross-site Request Forgery(CSRF/XSRF) vulnerability to be exploited, the victim must be authenticated to (logged on) the target site.
CVE-2015-1771 - Exchange HTML Injection Vulnerability
- An information disclosure vulnerability exists in Microsoft Exchange web applications when Exchange does not properly sanitize HTML strings.
CVE-2015-2359
Bulletin details at Microsoft.com
Related CVE Entries
The web applications in Microsoft Exchange Server 2013 SP1 and Cumulative Update 8 allow remote attackers to bypass the Same Origin Policy and send HTTP traffic to intranet servers via a crafted request, related to a Server-Side Request Forgery (SSRF) issue, aka "Exchange Server-Side Request Forgery Vulnerability."
Max CVSS
4.3
EPSS Score
0.43%
Published
2015-06-10
Updated
2018-10-12
Cross-site request forgery (CSRF) vulnerability in the web applications in Microsoft Exchange Server 2013 SP1 and Cumulative Update 8 allows remote attackers to hijack the authentication of arbitrary users, aka "Exchange Cross-Site Request Forgery Vulnerability."
Max CVSS
6.8
EPSS Score
0.39%
Published
2015-06-10
Updated
2018-10-12
Cross-site scripting (XSS) vulnerability in the web applications in Microsoft Exchange Server 2013 Cumulative Update 8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Exchange HTML Injection Vulnerability."
Max CVSS
4.3
EPSS Score
1.22%
Published
2015-06-10
Updated
2018-10-12