CVE-2016-3379

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server 2016 versions Cumulative Update 1 through Cumulative Update 2

Description The issue allows remote attackers to inject arbitrary web script or HTML via a meeting-invitation request. An elevation of privilege vulnerability exists in the way that Microsoft Outlook handles meeting invitation requests. To exploit the issue, an attacker could send a specially crafted Outlook meeting invitation request with malicious cross-site scripting (XSS) capability to a user.

Recommendations For Microsoft Exchange Server 2016 Cumulative Update 1, update to a version that includes the fix for this issue. For Microsoft Exchange Server 2016 Cumulative Update 2, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the handling of meeting invitation requests in Microsoft Outlook until a patch is available.