Environment
Novell GroupWise WebAccess is vulnerable to a cross-site scripting
(XSS) exploit via script injections in the User.Theme.index parameter,
which could potentially allow an attacker to redirect users to a malicious site.
Affected versions:
GroupWise 7.0 up to (and including) 7.03 HP3
GroupWise 8.0 up to (and including) 8.0.0 HP2
Affected versions:
GroupWise 7.0 up to (and including) 7.03 HP3
GroupWise 8.0 up to (and including) 8.0.0 HP2
This vulnerability was discovered and reported by Matt Foster - Netcraft, Ltd. (http://www.netcraft.com)
Novell bugs 517592, 520671. CVE number pending.
Resolution
To resolve this issue:
For GroupWise 7.x systems, apply GroupWise 7.03 Hot Patch 4 (HP4) or later
For GroupWise 8.0 systems, apply GroupWise 8.0 Support Pack 1 (SP1) or later
For GroupWise 7.x systems, apply GroupWise 7.03 Hot Patch 4 (HP4) or later
For GroupWise 8.0 systems, apply GroupWise 8.0 Support Pack 1 (SP1) or later
Status
Security AlertBug Number
517592, 520671