Novell GroupWise WebAccess 7
Novell GroupWise WebAccess 6.5
Cross-site scripting vulnerability in WebAccess.
An outside security researcher reported a cross-site scripting vulnerability in GroupWise WebAccess.
In certain circumstances, the filter of GroupWise doesn't check UTF-7 encoding, and does not sanitize some code that might allow this vulnerability.
These vulnerabilities may allow for the theft of authentication credentials when an email is sent with some specific html code that would allow to run java scripts.
This has been fixed in any build of GroupWise 7 WebAccess dated after July 27, 2006.
This has been fixed in any build of GroupWise 6.5 WebAccess dated after July 27, 2006.
Hot Patch for GroupWise 7 are available here: https://support.novell.com/filefinder/20641/beta.html
Field Test File for GroupWise 6.5 are available here: https://support.novell.com/filefinder/16963/beta.html
Vulnerability discovered by:
[ISR] Infobyte Security Research.
This vulnerability has been assigned the identifier CVE-2006-3817 by the CVE database.