MS15-103: Vulnerabilities in Microsoft Exchange Server Could Allow Information Disclosure (3089250)

medium Nessus Plugin ID 85883

Synopsis

The remote Microsoft Exchange server is affected by multiple information disclosure vulnerabilities.

Description

The remote Microsoft Exchange server is missing a security update. It is, therefore, affected by multiple vulnerabilities :

- An information disclosure vulnerability exists Outlook Web Access (OWA) due to improper handling of web requests. An unauthenticated, remote attacker can exploit this, via a specially crafted web application request, to see the contents of a stacktrace.
(CVE-2015-2505)

- Multiple spoofing vulnerabilities exist in Outlook Web Access (OWA) due to improper sanitization of specially crafted email. An unauthenticated, remote attacker can exploit these vulnerabilities by convincing a user to visit a malicious website, resulting in the disclosure of sensitive information. (CVE-2015-2543, CVE-2015-2544)

Solution

Microsoft has released a set of patches for Exchange 2013.

See Also

http://www.nessus.org/u?de71da53

Plugin Details

Severity: Medium

ID: 85883

File Name: smb_nt_ms15-103.nasl

Version: 1.11

Type: local

Agent: windows

Published: 9/10/2015

Updated: 4/20/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2015-2505

Vulnerability Information

CPE: cpe:/a:microsoft:exchange_server

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 9/8/2015

Vulnerability Publication Date: 9/8/2015

Reference Information

CVE: CVE-2015-2505, CVE-2015-2543, CVE-2015-2544

BID: 76595, 76596, 76598

MSFT: MS15-103

MSKB: 3087126