CVE-2016-3378

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server versions 2013 SP1 through 2016 Cumulative Update 2

Description The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL. An attacker could send a link with a specially crafted URL and convince the user to click it, potentially redirecting the authenticated user's browser session to a malicious site designed to impersonate a legitimate website. This could trick the user and potentially acquire sensitive information, such as the user's credentials.

Recommendations For Microsoft Exchange Server 2013 SP1, update to a version outside of the affected range to resolve the issue. For Microsoft Exchange Server 2013 Cumulative Update 12 and 2013 Cumulative Update 13, update to a version outside of the affected range to resolve the issue. For Microsoft Exchange Server 2016 Cumulative Update 1 and 2016 Cumulative Update 2, update to a version outside of the affected range to resolve the issue. As a temporary workaround, consider restricting access to crafted URLs to minimize the risk of exploitation.