The Microsoft Exchange Client Access Server (CAS) that services Autodiscover has been found vulnerable to an information disclosure. It has been discovered that a standard domain user without Exchange permissions can enumerate Autodiscover configuration files of Exchange users by an XML SOAP parameter injection.
54c985d67107ade894f094c2b0fe43f071b3e549fb3bf44c8d221541460ae91e