CVE-2015-2543

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server 2013 Cumulative Update 8 and 9

Description A cross-site scripting (XSS) issue exists due to insufficient protection of the web page structure in Outlook Web Access (OWA) of Microsoft Exchange Server. This allows remote attackers to inject arbitrary web script or HTML via a crafted email message. An authenticated attacker could exploit this by sending a specially crafted email to a user, potentially leading to HTML injection attacks and attempts to trick the user into disclosing sensitive information. The user must click a specially crafted URL for the exploitation to be successful.

Recommendations For Microsoft Exchange Server 2013 Cumulative Update 8 and 9, consider disabling the OWA component until a patch is available to prevent exploitation of the XSS vulnerability. Restrict access to specially crafted email messages to minimize the risk of HTML injection attacks. Avoid clicking on suspicious URLs received via email to prevent potential exploitation.