Suresh C

Name of the Vulnerable Software and Affected Versions: Microsoft Exchange Server (affected versions not specified) Description: The issue is related to an information disclosure vulnerability in how Microsoft Exchange validates tokens when handling certain messages. This could allow a remote attacker to gain unauthorized access to protected information. The vulnerability can be exploited by including specially crafted OWA messages that could be loaded from an attacker-controlled URL, providing an information disclosure tactic used in web beacons and other types of tracking systems. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Dynamics 365 (on-premises) (affected versions not specified) Description: A cross-site scripting issue exists due to inadequate protection of the web page structure. This could allow a remote attacker to perform cross-site scripting attacks using a specially crafted request. An authenticated attacker could exploit this by sending a specially crafted request to the affected Dynamics server, potentially allowing them to read unauthorized content, use the victim's identity to take actions within the Dynamics Server, change permissions, delete content, and inject malicious content into the user's browser. Recommendations: For Microsoft Dynamics 365 (on-premises), apply the security update that addresses the vulnerability by ensuring Dynamics Server properly sanitizes web requests. As a temporary workaround, consider restricting access to sensitive areas of the Dynamics Server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microsoft SharePoint (affected versions not specified) **Description** A spoofing issue exists due to improper handling of requests to authorize applications, resulting in cross-site request forgery (CSRF). To exploit this, an attacker would need to create a page designed to cause a cross-site request. This allows a remote attacker to perform actions that may not be intended by the user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Exchange Server (affected versions not specified) **Description** The issue is related to insufficient sanitization of user-provided data, allowing a remote attacker to perform cross-site scripting attacks by sending a specially crafted request to the Exchange server. This could enable the attacker to read unauthorized content, use the victim's identity to take actions on the Exchange server, and inject malicious content into the user's browser. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Skype for Business 2015 (affected versions not specified) **Description** A spoofing issue exists due to improper sanitization of specially crafted requests. This could allow a remote attacker to perform a cross-site scripting attack using a specially crafted request. The issue is related to the lack of protection for the web page structure in Microsoft Lync Server and Skype for Business Server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.