Security Vulnerability: Cross-Site Scripting (XSS) issue in GroupWise WebAccess "merge" parameter

  • 7010368
  • 03-Jul-2012
  • 08-Feb-2013

Environment

GroupWise 8.0x up to and including 8.02HP3

Situation

GroupWise WebAccess is vulnerable to a cross-site scripting (XSS) exploit in the "merge" parameter whereby an attacker could potentially insert arbitrary HTML and script code that will be executed in a user's browser session.

Resolution

To resolve this vulnerability, apply GroupWise 8.0 Support Pack 3 (or later).
 
Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their WebAccess servers and associated Domains to version 8.0 Support Pack 3 in order to secure their system.

This vulnerability was discovered and reported by Joshua Tiago, Cirosec via Secunia SVCRP (http://www.secunia.com/), Secunia advisory SA45671

Novell bugs 702785,740563, CVE-2012-0272

Status

Security Alert

Bug Number

702785 740563

Feedback service temporarily unavailable. For content questions or problems, please contact Support.