CVE-2020-16969

An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user. To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems. The security update corrects the way that Exchange handles these token validations.

Published: Oct 17, 2020
Updated: May 4, 2025
CVE: CVE-2020-16969
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
microsoft / exchange_server	2013-cumulative_update_23	2013-cumulative_update_23.x
microsoft / exchange_server	2019-cumulative_update_6	2019-cumulative_update_6.x
microsoft / exchange_server	2016-cumulative_update_17	2016-cumulative_update_17.x
microsoft / exchange_server	2019-cumulative_update_7	2019-cumulative_update_7.x
microsoft / exchange_server	2016-cumulative_update_18	2016-cumulative_update_18.x

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16969

Vulnerability Database

289,697

CVE-2020-16969