CVE-2020-16969
Description
An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user. To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems. The security update corrects the way that Exchange handles these token validations.
Risk Information
Base Score
6.9
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L/E:P/RL:O/RC:C
EPSS Score
Exploitation Probability
0.865
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Microsoft Exchange Information Disclosure Vulnerability For Exchange Server 2013 CU23 (KB4581424) | Windows |
| Microsoft Exchange Information Disclosure Vulnerability For Exchange Server 2016 CU17 (KB4581424) | Windows |
| Microsoft Exchange Information Disclosure Vulnerability For Exchange Server 2016 CU18 (KB4581424) | Windows |
| Microsoft Exchange Information Disclosure Vulnerability For Exchange Server 2019 CU6 (KB4581424) | Windows |
| Microsoft Exchange Information Disclosure Vulnerability For Exchange Server 2019 CU7 (KB4581424) | Windows |
Patch Details
Click to see the patches provided by ManageEngine for this CVE
| Patch ID | Patch Description |
|---|---|
| PATCH-30177 | Security Update For Exchange Server 2013 CU23 (KB4581424) |
| PATCH-30178 | Security Update For Exchange Server 2016 CU17 (KB4581424) |
| PATCH-30179 | Security Update For Exchange Server 2016 CU18 (KB4581424) |
| PATCH-30180 | Security Update For Exchange Server 2019 CU6 (KB4581424) |
| PATCH-30181 | Security Update For Exchange Server 2019 CU7 (KB4581424) |
References
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234