Microsoft Outlook Web Access version 22.214.171.124 contains a cross-site scripting vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary HTML or script code in a user's browser.
The vulnerability is due to improper validation of user-supplied input to a parameter that could permit cross-site scripting attacks. An attacker could exploit the vulnerability to inject arbitrary HTML or script code into the user's browser that could allow the attacker to spoof content, disclose potentially sensitive information, or take actions as the user on the site.
Proof-of-concept code that exploits this vulnerability is publicly available.
Microsoft has not confirmed this vulnerability, and software updates are not available.