CVE-2014-6336

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server 2013 SP1 and Cumulative Update 6

Description A spoofing issue exists due to the improper validation of redirection tokens in Microsoft Outlook Web App (OWA). This allows remote attackers to redirect users to arbitrary web sites and spoof the origin of e-mail messages. An attacker could exploit this to send email that appears to come from a user other than the attacker, by redirecting a user to an arbitrary domain from a link that appears to originate from the user’s domain.

Recommendations For Microsoft Exchange Server 2013 SP1 and Cumulative Update 6, consider disabling the redirection feature in OWA as a temporary workaround until a patch is available. Restrict access to OWA to minimize the risk of exploitation. Avoid using links that may redirect to arbitrary domains until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.