CVE-2010-2091
Description
Microsoft Outlook Web Access (OWA) 8.2.254.0, when Internet Explorer 7 on Windows Server 2003 is used, does not properly handle the id parameter in a Folder IPF.Note action to the default URI, which might allow remote attackers to obtain sensitive information or conduct cross-site scripting (XSS) attacks via an invalid value.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Microsoft Outlook Web Access (OWA) 8.2.254.0 - Information Disclosure
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| microsoft | exchange_server | 2007 | |
| microsoft | internet_explorer | 7 | |
References
- http://www.exploit-db.com/exploits/12728
- http://www.securityfocus.com/archive/1/511401/100/0/threaded
- http://www.securityfocus.com/archive/1/511416/100/0/threaded
- http://www.securityfocus.com/archive/1/511448/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/58835
- http://www.exploit-db.com/exploits/12728
- http://www.securityfocus.com/archive/1/511401/100/0/threaded
- http://www.securityfocus.com/archive/1/511416/100/0/threaded
- http://www.securityfocus.com/archive/1/511448/100/0/threaded
- https://exchange.xforce.ibmcloud.com/vulnerabilities/58835
CWEs
CWE-79
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.