CVE-2018-16793

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server versions prior to Rollup 18 for Microsoft Exchange Server 2010 SP3

Description The issue concerns a Server-Side Request Forgery (SSRF) vulnerability. It can be exploited via the username parameter in the "/owa/auth/logon.aspx" API endpoint, which is part of the OWA (Outlook Web Access) login page.

Recommendations For versions prior to Rollup 18 for Microsoft Exchange Server 2010 SP3, apply Rollup 18 to resolve the issue. As a temporary workaround, consider restricting access to the "/owa/auth/logon.aspx" API endpoint to minimize the risk of exploitation. Avoid using the username parameter in the affected API endpoint until the issue is resolved.