KB4018588: Security Update for Microsoft Exchange Server

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Microsoft Exchange Server is affected by multiple
vulnerabilities.

Description :

The remote Microsoft Exchange Server is missing a security update. It
is, therefore, affected by multiple vulnerabilities :

- Multiple cross-site scripting (XSS) vulnerabilities
exist in Microsoft Exchange Outlook Web Access (OWA)
due to improper validation of user-supplied input in web
requests. An unauthenticated, remote attacker can
exploit these, via a specially crafted link, to execute
arbitrary script code in a user's browser session.
(CVE-2017-8559, CVE-2017-8560)

- A cross-site redirection vulnerability exists due to
improper validation of user-supplied input before
returning it to users. An unauthenticated, remote
attacker can exploit this, by convincing a user to
follow a link, to cause the user to load a malicious
website, which then can be used to conduct further
attacks. (CVE-2017-8621)

See also :

http://www.nessus.org/u?eb2a7256

Solution :

Microsoft has released a set of patches for Exchange Server 2010,
2013, and 2016.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Windows : Microsoft Bulletins

Nessus Plugin ID: 101522 ()

Bugtraq ID: 99448
99449
99533

CVE ID: CVE-2017-8559
CVE-2017-8560
CVE-2017-8621

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now