Executive Summary
Summary | |
---|---|
Title | Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747) |
Informations | |||
---|---|---|---|
Name | MS08-039 | First vendor Publication | 2008-07-08 |
Vendor | Microsoft | Last vendor Modification | 2008-07-08 |
Severity (Vendor) | Important | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
This security update resolves two privately reported vulnerabilities in Outlook Web Access (OWA) for Microsoft Exchange Server. An attacker who successfully exploited these vulnerabilities could gain access to an individual OWA client?s session data, allowing elevation of privilege. The attacker could then perform any action the user could perform from within the individual client?s OWA session. |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:5354 | |||
Oval ID: | oval:org.mitre.oval:def:5354 | ||
Title: | OWA For Exchange Server Data Validation XSS Vulnerability | ||
Description: | Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) for Exchange Server 2003 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified e-mail fields, a different vulnerability than CVE-2008-2248. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2008-2247 | Version: | 1 |
Platform(s): | Microsoft Windows Server 2003 Microsoft Windows Server 2008 | Product(s): | Microsoft Exchange Server |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:5695 | |||
Oval ID: | oval:org.mitre.oval:def:5695 | ||
Title: | OWA For Exchange Server Parsing XSS Vulnerability | ||
Description: | Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) for Exchange Server 2003 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified HTML, a different vulnerability than CVE-2008-2247. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2008-2248 | Version: | 1 |
Platform(s): | Microsoft Windows Server 2003 Microsoft Windows Server 2008 | Product(s): | Microsoft Exchange Server |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 3 | |
Application | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2008-08-22 | Name : Outlook Web Access for Exchange Server Elevation of Privilege (953747) File : nvt/secpod_ms08-039_900007.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
46780 | Microsoft Outlook Web Access (OWA) HTML Parsing Unspecified XSS |
46779 | Microsoft Outlook Web Access (OWA) Data Validation Unspecified XSS Microsoft OWA contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate email fields from withing a users session. This could allow an attacker the ability to execute malicious script in the security context of the victims OWA session via a specially crafted email, and read, send, and delete emails as the logged-on user leading to a loss of integrity. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2008-07-10 | IAVM : 2008-T-0033 - Multiple Vulnerabilities in Microsoft Outlook Web Access Severity : Category II - VMSKEY : V0016150 |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Microsoft Office Outlook Web Access invalid CSS escape sequence script execut... RuleID : 13895 - Revision : 16 - Type : SERVER-MAIL |
2014-01-10 | Microsoft Office Outlook Web Access From field cross-site scripting attempt RuleID : 13894 - Revision : 19 - Type : SERVER-MAIL |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2008-07-08 | Name : The remote web server is vulnerable to cross-site scripting issues. File : smb_nt_ms08-039.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:46:00 |
|
2014-01-19 21:30:13 |
|
2013-11-11 12:41:08 |
|
2013-05-11 00:49:20 |
|