Improper neutralization of user input during web page generation in Microsoft Exchange Server exposes a cross‑site scripting flaw. An attacker can inject malicious scripts that are executed in the context of a victim’s browser, potentially allowing the attacker to spoof identities or forge data visible to users or downstream services. The vulnerability leverages client‑side execution, so a user who receives a manipulated page could be tricked into believing they are interacting with a legitimate Exchange instance, leading to information disclosure or manipulation of the user experience.

Microsoft Exchange Server 2016 Cumulative Update 23, Microsoft Exchange Server 2019 Cumulative Update 14, Microsoft Exchange Server 2019 Cumulative Update 15, Microsoft Exchange Server Subscription Edition RTM are susceptible to this flaw. The issue is confined to these specific update releases, and does not affect earlier versions or other product lines.

The CVSS base score of 6.1 indicates a moderate risk. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is a web‑based attack that can be executed by an unauthenticated attacker via the Exchange Server’s HTTP interface. Because it relies on cross‑site scripting, exploitation does not require elevated privileges on the server, but it does require that the target web interface is reachable over the network.