Vulnerability Details CVE-2020-16969
<p>An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.</p>
<p>To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.</p>
<p>The security update corrects the way that Exchange handles these token validations.</p>
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 77.6%
CVSS Severity
CVSS v3 Score 7.1
CVSS v2 Score 4.3
References
Products affected by CVE-2020-16969
-
cpe:2.3:a:microsoft:exchange_server:2013
-
cpe:2.3:a:microsoft:exchange_server:2016
-
cpe:2.3:a:microsoft:exchange_server:2019