CVE-2006-1193

Exp

Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2000 SP1 through SP3, when running Outlook Web Access (OWA), allows user-assisted remote attackers to inject arbitrary HTML or web script via unknown vectors related to "HTML parsing."

Published: 2006-06-13 Last update: 2026-04-16 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2006-1193 is rated Exploit Available (54.5/100): CVSS Low severity, with high exploitation likelihood (EPSS 43.69%, 98th percentile). 1 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2006-1193

EDB-ID Source Kind Published Link
28005 exploit_db edb 2006-06-13 Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2006-1193

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-31 58.92% 43.69% -15.23%
2 2025-12-28 47.45% 58.92% +11.46%
3 2025-12-27 47.45%

Full EPSS history (22 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2006-1193

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
2.6 2.0 LOW
AV:N/AC:H/Au:N/C:N/I:P/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:H)
Exploitation requires uncommon or highly specific conditions.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:N)
No confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:N)
No availability impact.
 4.9 2.9 [email protected]

Weakness enumeration for CVE-2006-1193

Affected software / configurations for CVE-2006-1193

Vendor Product Version Raw CPE
microsoft exchange_server 2000 cpe:2.3:a:microsoft:exchange_server:2000:sp1:*:*:*:*:*:*
microsoft exchange_server 2000 cpe:2.3:a:microsoft:exchange_server:2000:sp2:*:*:*:*:*:*
microsoft exchange_server 2000 cpe:2.3:a:microsoft:exchange_server:2000:sp3:*:*:*:*:*:*

References for CVE-2006-1193

URL Tags
http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046892.html Mailing List Third Party Advisory
http://secunia.com/advisories/20634 Patch Third Party Advisory
http://securitytracker.com/id?1016280 Patch Third Party Advisory VDB Entry
http://www.kb.cert.org/vuls/id/138188 Third Party Advisory US Government Resource
http://www.osvdb.org/26441 Broken Link
http://www.sec-consult.com/fileadmin/Advisories/20060613-0_owa_xss_noexploit.txt Third Party Advisory
http://www.securityfocus.com/bid/18381 Patch Third Party Advisory VDB Entry
http://www.us-cert.gov/cas/techalerts/TA06-164A.html Third Party Advisory US Government Resource
http://www.vupen.com/english/advisories/2006/2326 Permissions Required
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-029 Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/25550 Third Party Advisory VDB Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1070 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1161 Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1315 Third Party Advisory
cvelogic Threat Intelligence