CVE-2015-1628

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server 2013 SP1 Microsoft Exchange Server Cumulative Update 7

Description The issue is related to a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML. This can be achieved via a crafted X-OWA-Canary cookie in an AD.RecipientType.User action. Elevation of privilege vulnerabilities also exist due to improper sanitization of page content in Outlook Web App, which could allow an attacker to run script in the context of the current user by convincing users to browse to a targeted site after modifying certain properties.

Recommendations For Microsoft Exchange Server 2013 SP1, update to a version that properly sanitizes page content in Outlook Web App to prevent elevation of privilege. For Microsoft Exchange Server Cumulative Update 7, restrict access to the Outlook Web App site until a patch is available to prevent exploitation of the XSS vulnerability. As a temporary workaround, consider disabling the use of the X-OWA-Canary cookie in AD.RecipientType.User actions until a patch is available.