logo
DATABASE RESOURCES PRICING ABOUT US

SRC-2021-0004 : Microsoft Exchange Server msExchEcpCanary Cross Site Request Forgery Elevation of Privilege Vulnerability

Description

**Vulnerability Details:** This vulnerability allows remote attackers escalate privileges on affected installations of Microsoft Exchange Server. Authentication and user interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the HasValidCanary function inside of the Canary15 class. The issue results in an insecure generation of cross site request forgery tokens that can be used to install an office-addins. An attacker can leverage this vulnerability to escalate privileges to an administrative account. **Affected Vendors:** Microsoft **Affected Products:** Exchange Server **Vendor Response:** Microsoft has issued an update to correct this vulnerability. More details can be found at: <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24085> **Proof of Concept:** * <https://github.com/sourceincite/CVE-2021-24085>


Related