The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Microsoft Exchange Server

vulnerability bulletin CVE-2015-6014 CVE-2016-0138 CVE-2016-3378

Microsoft Exchange: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Exchange.
Impacted products: Exchange.
Severity: 4/4.
Consequences: privileged access/rights, user access/rights, client access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 13/09/2016.
Identifiers: 3185883, CERTFR-2016-AVI-310, CVE-2015-6014, CVE-2016-0138, CVE-2016-3378, CVE-2016-3379, CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596, MS16-108, VIGILANCE-VUL-20593.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Exchange.

An attacker can bypass security features via Email Parsing, in order to obtain sensitive information. [severity:2/4; CVE-2016-0138]

An attacker can deceive the user, in order to redirect him to a malicious site. [severity:1/4; CVE-2016-3378]

An attacker can trigger a Cross Site Scripting, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2016-3379]

An attacker can generate a memory corruption via Oracle Outside In Libraries, in order to trigger a denial of service, and possibly to run code (VIGILANCE-VUL-20165). [severity:4/4; CVE-2015-6014, CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, CVE-2016-3596]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2015-6013 CVE-2015-6014 CVE-2015-6015

Microsoft Exchange: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Exchange.
Impacted products: Exchange.
Severity: 3/4.
Consequences: privileged access/rights, data reading, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 15/06/2016.
Identifiers: 3160339, CERTFR-2016-AVI-207, CVE-2015-6013, CVE-2015-6014, CVE-2015-6015, CVE-2016-0028, MS16-079, VIGILANCE-VUL-19892.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Exchange.

An attacker can track the activity of a user of "Outlook Web Access". [severity:3/4; CVE-2016-0028]

An attacker can generate a buffer overflow via the Microsoft variants of the libraries Oracle Outside In, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-6013, CVE-2015-6014, CVE-2015-6015]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2015-4808 CVE-2015-6013 CVE-2015-6014

Oracle Outside In Technology: multiple vulnerabilities of January 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Outside In Technology.
Impacted products: GroupShield, McAfee Security for Email Servers, Exchange, Oracle OIT.
Severity: 3/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 20/01/2016.
Identifiers: cpujan2016, CVE-2015-4808, CVE-2015-6013, CVE-2015-6014, CVE-2015-6015, CVE-2016-0432, VIGILANCE-VUL-18759, VU#916896.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Outside In Technology.

An attacker can use a vulnerability of Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4808]

An attacker can use a vulnerability of Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-6013]

An attacker can use a vulnerability of Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-6014]

An attacker can use a vulnerability of Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-6015]

An attacker can use a vulnerability of Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-0432]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2016-0029 CVE-2016-0030 CVE-2016-0031

Microsoft Exchange: four vulnerabilities of Spoofing

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Spoofing of Microsoft Exchange.
Impacted products: Exchange.
Severity: 2/4.
Consequences: client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 12/01/2016.
Identifiers: 3124557, CERTFR-2016-AVI-015, CVE-2016-0029, CVE-2016-0030, CVE-2016-0031, CVE-2016-0032, MS16-010, VIGILANCE-VUL-18705.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Exchange Outlook Web Access.

An attacker can trigger a Cross Site Scripting in OWA, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2016-0029]

An attacker can trigger a Cross Site Scripting in OWA, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2016-0030]

An attacker can trigger a Cross Site Scripting in OWA, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2016-0031]

An attacker can trigger a Cross Site Scripting in OWA, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2016-0032]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-2505 CVE-2015-2543 CVE-2015-2544

Microsoft Exchange: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Exchange.
Impacted products: Exchange.
Severity: 2/4.
Consequences: data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 08/09/2015.
Identifiers: 3089250, CERTFR-2015-AVI-376, CVE-2015-2505, CVE-2015-2543, CVE-2015-2544, MS15-103, VIGILANCE-VUL-17850.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Exchange.

An attacker can bypass security features, in order to obtain sensitive information in the Stack Trace. [severity:2/4; CVE-2015-2505]

An attacker can invite the victim to click on a link, in order to spoof a mail. [severity:2/4; CVE-2015-2543]

An attacker can invite the victim to click on a link, in order to spoof a mail. [severity:2/4; CVE-2015-2544]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2015-1764 CVE-2015-1771 CVE-2015-2359

Microsoft Exchange: three vulnerabilities of the Web interface

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Web of Microsoft Exchange.
Impacted products: Exchange.
Severity: 3/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 10/06/2015.
Identifiers: 3062157, CERTFR-2015-AVI-251, CVE-2015-1764, CVE-2015-1771, CVE-2015-2359, MS15-064, VIGILANCE-VUL-17096.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Exchange.

An attacker can make Exchange make arbitrary HTTP requests. [severity:3/4; CVE-2015-1764]

An attacker can trigger a Cross Site Request Forgery, in order to force the victim to perform operations. [severity:3/4; CVE-2015-1771]

An attacker can trigger a Cross Site Scripting, in order to execute JavaScript code in the context of the web site. [severity:3/4; CVE-2015-2359]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2015-1628 CVE-2015-1629 CVE-2015-1630

Microsoft Exchange 2013: five vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Exchange 2013.
Impacted products: Exchange.
Severity: 2/4.
Consequences: user access/rights, client access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 5.
Creation date: 10/03/2015.
Identifiers: 3040856, CERTFR-2015-AVI-102, CVE-2015-1628, CVE-2015-1629, CVE-2015-1630, CVE-2015-1631, CVE-2015-1632, MS15-026, VIGILANCE-VUL-16370.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Exchange 2013.

An attacker can trigger a Cross Site Scripting in OWA, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1628]

An attacker can trigger a Cross Site Scripting in OWA, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1629]

An attacker can trigger a Cross Site Scripting in OWA, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1630]

An attacker can trigger a Cross Site Scripting in OWA, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2015-1632]

An attacker can spoof the identity of a meeting organizer. [severity:2/4; CVE-2015-1631]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-6319 CVE-2014-6325 CVE-2014-6326

Microsoft Exchange: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Microsoft Exchange.
Impacted products: Exchange.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 09/12/2014.
Identifiers: 3009712, CERTFR-2014-AVI-517, CVE-2014-6319, CVE-2014-6325, CVE-2014-6326, CVE-2014-6336, MS14-075, VIGILANCE-VUL-15764.

Description of the vulnerability

Several vulnerabilities were announced in Microsoft Exchange.

An attacker can spoof an OWA token, in order to escalate his privileges. [severity:3/4; CVE-2014-6319]

An attacker can trigger a Cross Site Scripting in OWA, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2014-6325]

An attacker can trigger a Cross Site Scripting in OWA, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2014-6326]

An attacker can deceive the user, in order to redirect him to a malicious site. [severity:1/4; CVE-2014-6336]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note 15119

Microsoft Exchange: information disclosure

Synthesis of the vulnerability

An attacker can user the "Client Access Server of Microsoft Exchange, in order to obtain sensitive information.
Impacted products: Exchange.
Severity: 1/4.
Consequences: data reading.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 05/08/2014.
Identifiers: VIGILANCE-VUL-15119.

Description of the vulnerability

The Microsoft Exchange product offers a web service for automatic configuration of clients.

An attacker can use the automatic configuration function of Exchange, in order to obtain sensitive information about the topology or the address map of the internel side of the network. [severity:1/4]

An attacker can use variations of response time of the automatic configuration function of the Client Access Server to discover valid username from any Active Directory account. [severity:1/4]

An attacker can use an ill formed SOAP request for automatic configuration in oder to discover email addresses. [severity:1/4]

An attacker can therefore user the "Client Access Server of Microsoft Exchange, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2014-0294

Microsoft Forefront Protection 2010 for Exchange: code execution

Synthesis of the vulnerability

An attacker can send a malicious email to Microsoft Forefront Protection 2010 for Exchange, in order to execute code.
Impacted products: Exchange, Forefront Security for Exchange Server.
Severity: 4/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 11/02/2014.
Identifiers: 2927022, BID-65397, CERTFR-2014-AVI-063, CVE-2014-0294, MS14-008, VIGILANCE-VUL-14221.

Description of the vulnerability

The Microsoft Forefront Protection 2010 for Exchange product analyzes emails, in order to detect malware.

However, a malformed email forces Forefront Protection to execute code.

An attacker can therefore send a malicious email to Microsoft Forefront Protection 2010 for Exchange, in order to execute code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Microsoft Exchange Server: