Cross-Site Scripting (XSS) Security Vulnerability in GroupWise Agent HTTP interfaces

  • 7006371
  • 30-Jun-2010
  • 27-Apr-2012

Environment

Novell GroupWise 7
Novell GroupWise 8
Novell GroupWise Message Transfer Agent
Novell GroupWise Post Office Agent
Novell GroupWise Internet Agent
Novell GroupWise WebAccess Agent
Novell GroupWise Monitor Agent

Situation

The HTTP interfaces for GroupWise agents (Message Transfer Agent, Post Office Agent, Internet Agent, WebAccess Agent, Monitor Agent) are are susceptible to Cross-Site Scripting (XSS) attacks, which could potentially be used by an attacker to steal sensitive information from application users, including parameters such as session credentials.

Affected versions:
GroupWise 7.0, 7.01, 7.02, 7.03x
GroupWise 8.0, 8.01x

This vulnerability was discovered and reported by Kevin Lynn of The George Washington University (http://www.gwu.edu/)

Novell bugs 576298, 579699, CVE-2010-2774

Resolution

To resolve this issue:
For GroupWise 7.x systems, apply GroupWise 7.0 Support Pack 4
For GroupWise 8.0 systems, apply GroupWise 8.0 Support Pack 2 or later

Status

Security Alert