CVE-2016-0032

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server 2013 versions PS1 through Cumulative Update 11 Microsoft Exchange Server 2016

Description A cross-site scripting (XSS) issue exists due to inadequate protection of the web page structure in Outlook Web Access (OWA), allowing remote attackers to inject arbitrary web script or HTML via a crafted URL. This could enable an attacker to perform script or content injection attacks and potentially trick users into disclosing sensitive information. The attacker could also redirect the user to a malicious website, which could be used to spoof content or chain an attack with other vulnerabilities in web services.

Recommendations For Microsoft Exchange Server 2013 versions PS1 through Cumulative Update 11, update to a version that includes the fix for this issue. For Microsoft Exchange Server 2016, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the OWA component to minimize the risk of exploitation.