Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019.
- CVE-2020-16969: Microsoft Exchange Information Disclosure Vulnerability
An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.
To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.
The security update corrects the way that Exchange handles these token validations.
View: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: October 13, 2020
Download: Security Update For Exchange Server 2019 CU7 (KB4581424)
Download: Security Update For Exchange Server 2019 CU6 (KB4581424)
Download: Security Update For Exchange Server 2016 CU18 (KB4581424)
Download: Security Update For Exchange Server 2016 CU17 (KB4581424)
Download: Security Update For Exchange Server 2013 CU23 (KB4581424)