Information security researcher Le Xuan Tuyen reported details of the new vulnerability in Microsoft Exchange servers. Exploitation of the issue allows an unauthorized attacker to modify server configurations, thus leading to information disclosure and to the disclosure of Personally Identifiable Information (PII).

The issue (CVE-2021-33766) called ProxyToken has received CVSS score of 7.3.

This vulnerability allows an unauthorized attacker to perform configuration actions on mailboxes belonging to arbitrary users. The issue can be used to copy all emails addressed to an account and forward them to an account controlled by the attacker.

Source: securitylab.ru