CVE-2013-5072

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server 2010 SP2 and SP3 Microsoft Exchange Server 2013 Cumulative Update 2 and 3

Description The issue is related to a cross-site scripting (XSS) vulnerability in Outlook Web Access, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. Additionally, there is an elevation of privilege vulnerability that could allow an attacker to run script in the context of the current user.

Recommendations For Microsoft Exchange Server 2010 SP2 and SP3, update to a version that includes the fix for the OWA XSS Vulnerability. For Microsoft Exchange Server 2013 Cumulative Update 2 and 3, update to a version that includes the fix for the OWA XSS Vulnerability. As a temporary workaround, consider restricting access to Outlook Web Access until a patch is available.