CVE-2014-6325

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server 2013 SP1 Microsoft Exchange Server Cumulative Update 6

Description The issue allows remote attackers to inject arbitrary web script or HTML via a crafted URL. Elevation of privilege is possible when the server does not properly validate input, allowing an attacker to run script in the context of the current user. This could enable the attacker to read unauthorized content, use the victim's identity to take actions on the Outlook Web App site, and inject malicious content in the victim's browser. Exploitation requires a user to click a specially crafted URL that takes the user to a targeted Outlook Web App site.

Recommendations For Microsoft Exchange Server 2013 SP1, update to a version that properly validates input to prevent elevation of privilege. For Microsoft Exchange Server Cumulative Update 6, consider restricting access to the Outlook Web App site until a patch is available that addresses the input validation issue. As a temporary workaround, consider warning users about the risks of clicking specially crafted URLs that could lead to malicious activities on the Outlook Web App site.