Security Vulnerability: GroupWise Client for Windows Cross-site Scripting (XSS) Vulnerability

  • 7012063
  • 02-Apr-2013
  • 16-Apr-2013


GroupWise Client for Windows 8.0x up to and including 8.03 HP2
GroupWise Client for Windows 2012 up to and including 12.0.1 HP1


The GroupWise Client for Windows is vulnerable to a scripting exploit where by enticing a user to run a malicious script embedded within the body of an email message, a remote attacker could execute arbitrary code on vulnerable Windows workstations running the GroupWise client.

When a user opens a message containing a Javascript or ActiveX script, the GroupWise 8.x and 2012.x clients for Windows display a warning inside of the message window that indicates that GroupWise has blocked a script from running, and which gives end-users the option to allow the script to run by clicking on the yellow warning banner: ("GroupWise has restricted this webpage from running scripts or ActiveX controls that could access your computer. Click here to allow access.")


To allow administrators to prevent potentially harmful scripts from running on their end-users' workstations, the GroupWise 8.0.3 HP3 and GroupWise 12.0 Support Pack 2 clients include support for a new Windows registry key that will configure the GroupWise client for Windows to disable the "Click here to allow access" functionality, which will prevent end-users from running scripts embedded within HTML messages.

To block the ability to run scripts within the GroupWise client for Windows, administrators will need to update their GroupWise clients to version 8.0.3 Hot Patch 3 (or later) or 2012 Support Pack 2 (or later) AND do the following steps:
  1. Create a new DWORD (32-bit) registry value under HKEY_CURRENT_USER\Software\Novell\GroupWise\Client\Setup\
  2. Enter "HTMLScriptsBlocked" (minus the quotes) in the "Value name" field
  3. Enter "1" (minus the quotes) in the "Value data" field"
  4. Click OK to save the new DWORD value
Administrators can push out that registry setting to their Windows workstation using Novell ZENworks Configuration Management or another workstation-management utility.

With the new HTMLScriptsBlocked registry entry added to Windows, the GroupWise client will still display the yellow script warning, but if the user clicks on the warning message, the script will not run. NOTE, adding this registry key to a Windows workstation will prevent ALL scripts from running within the GroupWise client, not just malicious scripts.

This vulnerability was discovered and reported by Bartlomiej Balcerek at Wroclaw Centre for Networking and
Supercomputing (

Novell bug 799673, CVE-2013-1087

Previous versions (GroupWise, 6.5, 7.x) of the GroupWise Client for Windows are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise Windows clients to version 8.0.3 Hot Patch 3 or 2012 SP2 in order to secure their systems.


Security Alert

Bug Number