Microsoft Exchange Server Subscription Edition Rtm
Monthly
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an already-authenticated attacker with low privileges to elevate to higher privileges by abusing unsafe deserialization of untrusted data. Microsoft reported the flaw and has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact on the affected host.
Stored/reflected cross-site scripting in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets a network-based, unauthenticated attacker inject malicious script that executes in a victim's browser session, enabling spoofing and - per the scope-changed CVSS 9.6 vector - high impact to confidentiality, integrity, and availability of resources beyond the vulnerable component. Exploitation requires the target to view attacker-controlled content (UI:R). Microsoft has released a patch; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an authenticated attacker with low-level privileges on the server to elevate to higher privileges due to insufficiently granular access controls (CWE-1220). The CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L) reflects local exploitation yielding full confidentiality, integrity, and availability impact. A vendor patch is available; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets an authenticated attacker corrupt heap memory to run arbitrary code across the network. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) shows low-privilege network exploitation with full confidentiality, integrity, and availability impact, and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an already-authenticated attacker with low privileges to elevate to higher privileges by abusing unsafe deserialization of untrusted data. Microsoft reported the flaw and has released a patch; no public exploit identified at time of analysis and it is not listed in CISA KEV. The CVSS 3.1 base score is 7.8 (High), reflecting full confidentiality, integrity, and availability impact on the affected host.
Stored/reflected cross-site scripting in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets a network-based, unauthenticated attacker inject malicious script that executes in a victim's browser session, enabling spoofing and - per the scope-changed CVSS 9.6 vector - high impact to confidentiality, integrity, and availability of resources beyond the vulnerable component. Exploitation requires the target to view attacker-controlled content (UI:R). Microsoft has released a patch; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.
Local privilege escalation in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) allows an authenticated attacker with low-level privileges on the server to elevate to higher privileges due to insufficiently granular access controls (CWE-1220). The CVSS 3.1 score of 7.8 (AV:L/AC:L/PR:L) reflects local exploitation yielding full confidentiality, integrity, and availability impact. A vendor patch is available; there is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Remote code execution in Microsoft Exchange Server (2016 CU23, 2019 CU14/CU15, and Subscription Edition RTM) lets an authenticated attacker corrupt heap memory to run arbitrary code across the network. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N) shows low-privilege network exploitation with full confidentiality, integrity, and availability impact, and Microsoft has released a patch. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Cross-site scripting (XSS) in Microsoft Exchange Server enables remote attackers to spoof content and steal credentials without authentication. Affects Exchange Server 2016 CU23, 2019 CU14/CU15, and Subscription Edition. Functional exploit code exists (CVSS temporal E:F) though no active exploitation confirmed at analysis time. CVSS 8.1 (High) driven by network vector, no authentication requirement, and dual confidentiality/integrity impact. Microsoft released patches via MSRC security update guide. Medium-high priority for organizations running affected Exchange versions with webmail or OWA exposed.