Security Vulnerability - GroupWise 8 WebAccess Cross-site scripting (XSS) issue in "Directory.Item" Parameters

  • 7009214
  • 19-Aug-2011
  • 26-Apr-2012

Environment

Novell GroupWise 8
Novell GroupWise 8 WebAccess
GroupWise 8.0x up to (and including) 8.02HP2

Situation

GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) exploit in the "Directory.Item.name" and "Directory.Item.displayName" parameters whereby an attacker could potentially insert arbitrary HTML and script code that will be executed in a user's browser session.
 
This vulnerability was discovered and reported by Joshua Tiago, Cirosec via Secunia (http://www.secunia.com/, Secunia advisory SA44328).
 
CVE-2011-2661

Resolution

To resolve this issue, apply GroupWise 8.0 Hot Patch 3 (HP3) or later.
 
Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their WebAccess servers and associated Domains to version 8.02HP3 in order to secure their system.

Status

Security Alert

Bug Number

702786