Main Vulnerability Database SB2016091309

SB2016091309 - Microsoft Outlook Information Disclosure Vulnerability

Published: September 13, 2016 Updated: January 10, 2019

Security Bulletin ID SB2016091309

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2016-0138)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information.

The vulnerability exists due to improper parsing of email messages. A remote attacker can send a specially crafted message using "send as" rights and gain access to confidential user information that is contained in Microsoft Outlook applications.

Successful exploitation of the vulnerability leads to information disclosure on the vulnerable system.

Remediation

Install update from vendor's website.

References

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2016-0138