CVE-2016-0028

Published: Jun 16, 2016Modified: May 6, 2026

5.5

Vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Exploitability: 1.8 / Impact: 3.6

Source: NVD

Description

Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, and Cumulative Update 12 and 2016 Gold and Cumulative Update 1 does not properly restrict loading of IMG elements, which makes it easier for remote attackers to track users via a crafted HTML e-mail message, aka "Microsoft Exchange Information Disclosure Vulnerability."

Affected (1)

Products: Microsoft: Outlook Web Access

Microsoft

1 product

Outlook Web Access

Configuration A

1 vulnerable · 5 platform

Vulnerable Software	Affected Versions
Microsoft Outlook Web Access	All versions

Running on/with	Platform Versions
Microsoft Exchange Server	Version 2013 cumulative_update_11
Microsoft Exchange Server	Version 2013 cumulative_update_12
Microsoft Exchange Server	Version 2013 sp1
Microsoft Exchange Server	Version 2016
Microsoft Exchange Server	Version 2016 cumulative_update_1

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (4)

http://www.securitytracker.com/id/1036106

Source: secure@microsoft.com

Third Party AdvisoryVDB Entry

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-079

Source: secure@microsoft.com

http://www.securitytracker.com/id/1036106

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-079

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.