fix severity

[pwnhxl]

This only returns the internal network address, and Microsoft does not acknowledge that this is a vulnerability!

[userdehghani]

it's not a microsoft application vulnerability but any organization can config their own on-premise ms-exchange server and the local domain exposure is a valid vulnerability on organization side.

@pwnhxl @ritikchaddha

[pwnhxl]

@userdehghani
In general, Microsoft assigns CVE numbers to product vulnerabilities, such as: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473

Could you please provide the CVE number?

If the internal IP address is leaked, would that be considered a vulnerability? http/misconfiguration/internal-ip-disclosure.yaml
This template should also be used for low-risk vulnerabilities.

[userdehghani]

private information disclosure is under CWE-200, and i consider CVSS 3.1 as the basis for calculating the severity of vulnerability. the minimum severity of this vulnerability will be categorized as low.

• https://cwe.mitre.org/data/definitions/200.html
• https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

@pwnhxl