CVE-2016-0028 — MEDIUM (5.5)

Vulnerability Description

Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, and Cumulative Update 12 and 2016 Gold and Cumulative Update 1 does not properly restrict loading of IMG elements, which makes it easier for remote attackers to track users via a crafted HTML e-mail message, aka "Microsoft Exchange Information Disclosure Vulnerability."

CVSS Score

5.5

MEDIUM

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Microsoft	Exchange Server	2013
Microsoft	Outlook Web Access	All versions

Related Weaknesses (CWE)

CWE-200

References

http://www.securitytracker.com/id/1036106Third Party AdvisoryVDB Entry
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-07
http://www.securitytracker.com/id/1036106Third Party AdvisoryVDB Entry
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-07

FAQ

What is CVE-2016-0028?

CVE-2016-0028 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, and Cumulative Update 12 and 2016 Gold and Cumulative Update 1 does not properly restrict loading of IMG elements,...

How severe is CVE-2016-0028?

CVE-2016-0028 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-0028?

Check the references section above for vendor advisories and patch information. Affected products include: Microsoft Exchange Server, Microsoft Outlook Web Access.