GroupWise WebAccess - Cross Site Scripting (XSS) Security Vulnerability in User.Theme.index parameter

  • 7004410
  • 09-Sep-2009
  • 27-Apr-2012

Environment

Novell GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) exploit via script injections in the User.Theme.index parameter, which could potentially allow an attacker to redirect users to a malicious site. 

Affected versions:
GroupWise 7.0 up to (and including) 7.03 HP3
GroupWise 8.0 up to (and including) 8.0.0 HP2

This vulnerability was discovered and reported by Matt Foster - Netcraft, Ltd. (http://www.netcraft.com) 

Novell bugs 517592, 520671.  CVE number pending.

Resolution

To resolve this issue:
For GroupWise 7.x systems, apply GroupWise 7.03 Hot Patch 4 (HP4) or later
For GroupWise 8.0 systems, apply GroupWise 8.0 Support Pack 1 (SP1) or later

Status

Security Alert

Bug Number

517592, 520671