SB2023021424 - Multiple vulnerabilities in Microsoft Exchange Server
Published: February 14, 2023 Updated: April 13, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Exposed dangerous method or function (CVE-ID: CVE-2023-21529)
CWE-ID: CWE-749 - Exposed Dangerous Method or Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation within the MultiValuedProperty class. A remote user can send a specially crafted request and execute arbitrary code in the context of the server's account.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Code Injection (CVE-ID: CVE-2023-21707)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code in the context of the server's account.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
3) Code Injection (CVE-ID: CVE-2023-21706)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code in the context of the server's account.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
4) Code Injection (CVE-ID: CVE-2023-21710)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation. A remote user with administrative privileges can send a specially crafted request and execute arbitrary code in the context of the server's account.
Remediation
Install update from vendor's website.
References
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21529
- https://www.zerodayinitiative.com/advisories/ZDI-23-162/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21707
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21706
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2023-21710