Info

Disclosure

Jul 15, 2005

Discovery

Jun 14, 2005

Dates

Exploit

Jul 19, 2005

Solution

Unknown

Description

Novell GroupWise WebAccess contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate e-mail message upon submission to the dynamically generated web content. This could allow a user to send a specially crafted e-mail that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 6.5 (dated after 11/7/2005) or 6.5 SP5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Novell, Inc.	Novell Groupwise	6.5 SP5
		6.5 SP4
		6.5 (after 11/7/2005)

References

Security Tracker: 1014515
Bugtraq ID: 14310
Secunia Advisory ID: 16098
SCIP VulDB ID: 1629
CVE ID: 2005-2276 (see also: NVD)
ISS X-Force ID: 21421
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0322.html
http://marc.theaimsgroup.com/?l=bugtraq&m=112181451014783&w=2
Vendor Specific Advisory URL: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098301.htm
Other Advisory URL: http://www.infobyte.com.ar/adv/ISR-11.html
Keyword: TID10098301

Credit

Francisco Amato - famatoinfobyte.com.ar - Infobyte Security Research

Direct URL: http://osvdb.org/18064

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Novell, Inc.

Novell Groupwise

References

Credit