Open redirect in Microsoft Exchange Server - CVE-2016-3378
Published: September 13, 2016 / Updated: March 3, 2017
Vulnerability identifier: #VU5418
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2016-3378
CWE-ID: CWE-601
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
Microsoft Exchange Server
Microsoft Exchange Server
Detailed vulnerability description
The vulnerability allows a remote attacker to perform spoofing attacks.
Successful exploitation of the vulnerability will allow to steal valid user's credentials and use the information to conduct further attacks.
Open redirect vulnerability exists due to insufficient verification of URL when redirecting users to external websites. A remote attacker can create a specially crafted link, trick the victim into following it and redirect the victim to malicious website.
Successful exploitation of the vulnerability will allow to steal valid user's credentials and use the information to conduct further attacks.
How to mitigate CVE-2016-3378
Install update from vendor's website.