CVE-2018-0940

Name of the Vulnerable Software and Affected Versions: Microsoft Exchange Server 2010 version 14.3.452.0 (Service Pack 3 Update Rollup 20) Microsoft Exchange Server 2013 versions 15.0.1497.2 through 15.0.1514.2 Microsoft Exchange Server 2016 versions 15.1.1034.26 through 15.1.1066.14

Description: The issue arises from how links in the body of an email message are rewritten, allowing an elevation of privilege. This occurs because Microsoft Exchange Outlook Web Access (OWA) fails to properly sanitize links presented to users. An attacker could exploit this to override the OWA interface with a fake login page, attempting to trick the user into disclosing sensitive information.

Recommendations: For Microsoft Exchange Server 2010 version 14.3.452.0, update to a version that includes the fix for this issue. For Microsoft Exchange Server 2013 versions 15.0.1497.2 through 15.0.1514.2, update to a version that includes the fix for this issue. For Microsoft Exchange Server 2016 versions 15.1.1034.26 through 15.1.1066.14, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to links in email messages to minimize the risk of exploitation.