CVE-2015-2544

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server versions 2013 Cumulative Update 8 through 2013 Cumulative Update 9 and 2013 SP1

Description The issue exists due to inadequate protection of the web page structure in Outlook Web Access, allowing a remote attacker to inject arbitrary web or HTML code via a specially crafted email message. This can lead to HTML injection attacks, potentially tricking users into disclosing sensitive information. The exploitation requires the user to click on a specially crafted URL.

Recommendations For Microsoft Exchange Server 2013 Cumulative Update 8, update to a version that includes the fix for this issue. For Microsoft Exchange Server 2013 Cumulative Update 9, update to a version that includes the fix for this issue. For Microsoft Exchange Server 2013 SP1, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to specially crafted email messages to minimize the risk of exploitation.