CVE-2019-1084
MEDIUMMicrosoft Exchange Server - Authenticated Information Disclosure via Invalid Display Name Handling
Title source: llmDescription
An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients., aka 'Microsoft Exchange Information Disclosure Vulnerability'.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1084
Scores
CVSS v3
6.5
EPSS
0.0533
EPSS Percentile
91.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (16)
microsoft/exchange_server
2010 sp2
microsoft/exchange_server
2013 cumulative_update_23
microsoft/exchange_server
2016 cumulative_update_1 (4 CPE variants)
microsoft/lync
2013 sp1
microsoft/lync_basic
2013 sp1
microsoft/mail_and_calendar
microsoft/office
2010 sp2
microsoft/office
2013 sp1
microsoft/office
2016 (2 CPE variants)
microsoft/office
2019 (2 CPE variants)
... and 6 more
Published
Jul 15, 2019
Tracked Since
Feb 18, 2026