Security Vulnerability - Multiple XSS vulnerabilities in GroupWise WebAccess

  • 7016653
  • 06-Jul-2015
  • 09-Jul-2015

Environment

Affected versions:
Novell GroupWise 2012 up to and including 2012 Support Pack 3 Hot Patch 1 (SP3 HP1)
Novell GroupWise 2014 up to and including 2014 Support Pack 1 Hot Patch 1 (SP1 HP1)

Situation

Novell GroupWise 2012 and 2014 WebAccess are vulnerable to multiple cross-site-scripting (XSS) vulnerabilities whereby an attacker could execute arbitrary JavaScript code in the context of the user's WebAccess session.

Resolution

To resolve this issue, apply GroupWise 2012 Support Pack 4 or GroupWise 2014 Support Pack 2 or later.
 
Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their WebAccess servers and associated domains to version 2012 SP4 or 2014 SP2 in order to secure their system.
 
These vulnerabilities were discovered and reported by Mario Heiderich of Cure53 (https://cure53.de/). Novell would like to thank Mario for his assistance identifying and resolving these vulnerabilities.
 
One vulnerability was also discovered and reported by Adrian Vollmer at SySS (http://www.syss.de). Novell would like to thank Adrian for his assistance identifying and resolving this vulnerability.
 
Novell bugs 909590, 909588, 909587, 909586, 909584, 930467.  CVE-2014-0611

Status

Security Alert

Bug Number

909590, 909588, 909587, 909586, 909584, 930467