Security restrictions bypass in Microsoft Exchange Server

Published: 2018-12-11 22:20:06 | Updated: 2018-12-11
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2018-8604
CVSSv3 3.8 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CWE ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software Microsoft Exchange Server
Vulnerable software versions Microsoft Exchange Server 2016 Cumulative Update 10
Microsoft Exchange Server 2016 Cumulative Update 11
Vendor URL Microsoft

Security Advisory

1) Input validation error

Description

The vulnerability allows a remote authenticated attacker to tamper data of other users.

The vulnerability exists due to insufficient validation of user-supplied input when processing user profile data. A remote authenticated attacker can send a specially crafted request to the server and modify target user's profile.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8604

Back to List