I recently had a pen test and one of the findings was our OWA (exchange 2013) is vulnerable to "Possible SQL Injection". Our pen tester recommends us to download the latest login dialog applet from Microsoft or recompile the web code against the v4.5 or later .NET framework. I am not able to find any download in Microsoft nor can I find any information regarding vulnerability or how to remediate it.
Has anyone encounter this issue before or know how to secure the OWA's logon page from SQL Injection? I read somewhere that it is not recommended to edit Microsoft's code.