MS15-026: Vulnerabilities in Microsoft Exchange Server Could Allow Elevation of Privilege (3040856)

This script is Copyright (C) 2015-2017 Tenable Network Security, Inc.


Synopsis :

The remote Microsoft Exchange server is affected by multiple
vulnerabilities.

Description :

The remote Microsoft Exchange server is missing a security update. It
is, therefore, affected by multiple vulnerabilities :

- Multiple cross-site scripting vulnerabilities exist due
to improper sanitization of page content in Outlook Web
App. An attacker can exploit these vulnerabilities by
modifying properties within Outlook Web App and then
convincing a user browse to the targeted Outlook Web App
site, resulting in the execution of arbitrary script
code in the context of the current user. (CVE-2015-1628,
CVE-2015-1629, CVE-2015-1630, CVE-2015-1632)

- A spoofing vulnerability exists due to a failure to
properly validate the meeting organizer's identity when
accepting or modifying meeting requests. A remote
attacker can exploit this issue to send forged meeting
requests appearing to originate from a legitimate
organizer. (CVE-2015-1631)

See also :

https://technet.microsoft.com/library/security/MS15-026

Solution :

Microsoft has released a set of patches for Exchange 2013.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Windows : Microsoft Bulletins

Nessus Plugin ID: 81740 ()

Bugtraq ID: 72883
72888
72887
72890
72895

CVE ID: CVE-2015-1628
CVE-2015-1629
CVE-2015-1630
CVE-2015-1631
CVE-2015-1632

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now