5 results (0.005 seconds)

CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0

Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, and Cumulative Update 12 and 2016 Gold and Cumulative Update 1 does not properly restrict loading of IMG elements, which makes it easier for remote attackers to track users via a crafted HTML e-mail message, aka "Microsoft Exchange Information Disclosure Vulnerability." Outlook Web Access (OWA) en Microsoft Exchange Server 2013 SP1, Cumulative Update 11 y Cumulative Update 12 y 2016 Gold y Cumulative Update 1 no restringe correctamente la carga de elementos IMG, lo que facilita a atacantes remotos rastrear usuarios a través de un mensaje de e-mail HTML manipulado, también conocida como "Microsoft Exchange Information Disclosure Vulnerability". • http://www.securitytracker.com/id/1036106 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-079 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.8EPSS: 5%CPEs: 3EXPL: 4

Cross-site request forgery (CSRF) vulnerability in Microsoft Outlook Web Access (owa/ev.owa) 2007 through SP2 allows remote attackers to hijack the authentication of e-mail users for requests that perform Outlook requests, as demonstrated by setting the auto-forward rule. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en Microsoft Outlook Web Access (owa/ev.owa) 2007 hasta SP2 permite a atacantes remotos secuestrar la autenticación de usuarios de e-mail para peticiones que llevan a cabo peticiones Outlook, como se demostró estableciendo la regla de "auto-forward" • https://www.exploit-db.com/exploits/14285 http://sites.google.com/site/tentacoloviola/pwning-corporate-webmails http://www.exploit-db.com/exploits/14285 http://www.securityfocus.com/bid/41462 https://exchange.xforce.ibmcloud.com/vulnerabilities/60164 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 4.3EPSS: 96%CPEs: 4EXPL: 0

Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) for Exchange Server 2003 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified HTML, a different vulnerability than CVE-2008-2247. La vulnerabilidad de tipo Cross-site scripting (XSS) en Outlook Web Access (OWA) para Exchange Server 2003 SP2, permite a atacantes remotos inyectar script web o HTML por medio de HTML no especificado, una vulnerabilidad diferente a la CVE-2008-2247. • http://secunia.com/advisories/30964 http://www.securityfocus.com/bid/30078 http://www.securitytracker.com/id?1020439 http://www.us-cert.gov/cas/techalerts/TA08-190A.html http://www.vupen.com/english/advisories/2008/2021/references https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-039 https://exchange.xforce.ibmcloud.com/vulnerabilities/43329 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5695 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 1.9EPSS: 0%CPEs: 1EXPL: 0

Unspecified versions of Microsoft Outlook Web Access (OWA) use the Cache-Control: no-cache HTTP directive instead of no-store, which might cause web browsers that follow RFC-2616 to cache sensitive information. Versiones sin especificar de Microsoft Outlook Web Access (OWA) utilizan la directiva Cache-Control: no-cache HTTP en vez de no-store, lo que podría provocar que navegadores web que siguen RFC-2616 almacenen en caché información sensible. • http://www.kb.cert.org/vuls/id/829876 http://www.securityfocus.com/bid/29121 https://exchange.xforce.ibmcloud.com/vulnerabilities/42301 •

CVSS: 5.0EPSS: 6%CPEs: 2EXPL: 0

Microsoft Outlook 2003 and Outlook Web Access (OWA) 2003 do not properly display comma separated addresses in the From field in an e-mail message, which could allow remote attackers to spoof e-mail addresses. • http://www.idefense.com/application/poi/display?id=227&type=vulnerabilities https://exchange.xforce.ibmcloud.com/vulnerabilities/20026 •