Detections
Analytics
Microsoft Exchange Server Autodiscover Cross-Site Scripting
medium Web App Scanning Plugin ID 113057
Language:
Synopsis
Microsoft Exchange Server Autodiscover Cross-Site ScriptingDescription
Microsoft Exchange Server versions 2019 before cumulative update 11, 2016 before cumulative update 22 and 2013 before cumulative update 23 are affected by a cross-site scripting vulnerability through the `autodiscover/autodiscover.json` endpoint. By crafting a specific URL, an attacker could target any Exchange user and try conducting phishing attacks or performing arbitrary modification on the target application.Solution
Apply cumulative update 11 for Exchange Server 2019, cumulative update 22 for Exchange Server 2016 and cumulative update 23 for Exchange Server 2013 as described on Microsoft website.See Also
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41349
Plugin Details
Severity: Medium
ID: 113057
Type: remote
Family: Component Vulnerability
Published: 11/22/2021
Updated: 11/22/2021
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS Score Source: CVE-2021-41349
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CVSS Score Source: CVE-2021-41349
Vulnerability Information
Exploit Available: true
Exploit Ease: Exploits are available
Reference Information
CVE: CVE-2021-41349
CWE: 79
OWASP: 2010-A2, 2013-A3, 2013-A9, 2017-A7, 2017-A9, 2021-A3, 2021-A6
WASC: Cross-Site Scripting
CAPEC: 209, 588, 591, 592, 63, 85
DISA STIG: APSC-DV-002490, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.3.3