Cross-site scripting (XSS) vulnerability in GroupWise WebAccess.

Document ID:3701584
Creation Date:08-Aug-2006
Modified Date:27-Apr-2012
- Micro Focus Products:
  GroupWise

Environment

Novell GroupWise WebAccess 7

Novell GroupWise WebAccess 6.5

Situation

Cross-site scripting vulnerability in WebAccess.

An outside security researcher reported a cross-site scripting vulnerability in GroupWise WebAccess.

In certain circumstances, the filter of GroupWise doesn't check UTF-7 encoding, and does not sanitize some code that might allow this vulnerability.

These vulnerabilities may allow for the theft of authentication credentials when an email is sent with some specific html code that would allow to run java scripts.

Resolution

This has been fixed in any build of GroupWise 7 WebAccess dated after July 27, 2006.

This has been fixed in any build of GroupWise 6.5 WebAccess dated after July 27, 2006.

Hot Patch for GroupWise 7 are available here: https://support.novell.com/filefinder/20641/beta.html

Field Test File for GroupWise 6.5 are available here: https://support.novell.com/filefinder/16963/beta.html

Status

Security Alert

Additional Information

Vulnerability discovered by:

Francisco Amato

[ISR] Infobyte Security Research.

www.infobyte.com.ar

This vulnerability has been assigned the identifier CVE-2006-3817 by the CVE database.