An actively exploited XSS vulnerability in Exchange OWA is being patched for current versions but remains unfixed for Exchange 2016/2019 without paid Extended Support.