CVE-2019-1084

Published: Jul 15, 2019Modified: Nov 21, 2024

6.5

Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients., aka 'Microsoft Exchange Information Disclosure Vulnerability'.

Affected (22)

Products: Microsoft: Exchange Server, Lync, Lync Basic, Mail And Calendar, Office, Office 365 Proplus, Outlook, Skype For Business, Skype For Business Basic

9 products

Skype For Business Basic

Configuration A

22 vulnerable

Vulnerable Software	Affected Versions
Microsoft Exchange Server	Version 2010 sp2
Microsoft Exchange Server	Version 2013 cumulative_update_23
Microsoft Exchange Server	Version 2016 cumulative_update_12
Microsoft Exchange Server	Version 2016 cumulative_update_13
Microsoft Exchange Server	Version 2016 cumulative_update_1
Microsoft Exchange Server	Version 2016 cumulative_update_2
Microsoft Lync	Version 2013 sp1
Microsoft Lync Basic	Version 2013 sp1
Microsoft Mail And Calendar	All versions
Microsoft Office	Version 2010 sp2
Microsoft Office	Version 2013 sp1
Microsoft Office	Version 2016
Microsoft Office	Version 2016
Microsoft Office	Version 2019
Microsoft Office	Version 2019
Microsoft Office 365 Proplus	All versions
Microsoft Outlook	All versions
Microsoft Outlook	Version 2013 sp1
Microsoft Outlook	Version 2016
Microsoft Outlook	Version 2016
Microsoft Skype For Business	Version 2016
Microsoft Skype For Business Basic	Version 2016

Related CWEs

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (2)

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1084

Source: secure@microsoft.com

PatchVendor Advisory

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1084

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.