This page lists publicly disclosed CVE vulnerabilities affecting microsoft outlook_web_access (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2016-0028 | Outlook Web Access (OWA) in Microsoft Exchange Server 2013 SP1, Cumulative Update 11, and Cumulative Update 12 and 2016 Gold and Cumulative Update 1 does not properly restrict loading of IMG elements, which makes it easier for remote attackers to track users via a crafted HTML e-mail message, aka "Microsoft Exchange Information Disclosure Vulnerability." | [email protected] | 5.5 | 22.55% | 2016-06-16 | 2026-05-06 |
| CVE-2010-3213 | Cross-site request forgery (CSRF) vulnerability in Microsoft Outlook Web Access (owa/ev.owa) 2007 through SP2 allows remote attackers to hijack the authentication of e-mail users for requests that perform Outlook requests, as demonstrated by setting the auto-forward rule. | [email protected] | 6.8 | 8.54% | 2010-09-07 | 2026-04-29 |
| CVE-2008-2248 | Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) for Exchange Server 2003 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified HTML, a different vulnerability than CVE-2008-2247. | [email protected] | 4.3 | 24.61% | 2008-07-08 | 2026-04-23 |
| CVE-2008-2143 | Unspecified versions of Microsoft Outlook Web Access (OWA) use the Cache-Control: no-cache HTTP directive instead of no-store, which might cause web browsers that follow RFC-2616 to cache sensitive information. | [email protected] | 1.9 | 1.54% | 2008-05-12 | 2026-04-23 |
| CVE-2005-1052 | Microsoft Outlook 2003 and Outlook Web Access (OWA) 2003 do not properly display comma separated addresses in the From field in an e-mail message, which could allow remote attackers to spoof e-mail addresses. | [email protected] | 5.0 | 9.38% | 2005-05-02 | 2026-04-16 |