Wednesday, May 07, 2008 1:57 PM
cmosby
Novell GroupWise WebAccess Script Insertion - Advisories - Secunia
Novell GroupWise WebAccess Script Insertion
Secunia Advisory:
SA29969
Release Date:
2008-05-02
Critical:
Moderately critical
Impact:
Cross Site Scripting
Where:
From remote
Solution Status:
Unpatched
Software:
Novell GroupWise 7.x
Description:
Juan Pablo Lopez Yacubian has reported a vulnerability in Novell GroupWise, which can be exploited by malicious people to conduct script insertion attacks.
Input passed via e.g. a .JPG attachment in Novell GroupWise WebAccess is not properly sanitised before being returned to a user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when a malicious .JPG attachment is viewed.
The vulnerability is reported in version 7. Other versions may also be affected.
Solution:
Do not view attachments in email messages from untrusted sources.
Provided and/or discovered by:
Juan Pablo Lopez Yacubian
Original Advisory:
http://archives.neohapsis.com/archives/bugtraq/2008-04/0330.html