Security Vulnerability - Reflected Cross-site scripting (XSS) vulnerability in GroupWise Document Viewer Agent (DVA)

  • 7018371
  • 07-Dec-2016
  • 07-Dec-2016


GroupWise 2014 R2 Support Pack 1 Hot Patch 2
GroupWise Document Viewer Agent


A reflected XSS vulnerability exists in the web console of the GroupWise Document Viewer Agent that may enable a remote attacker to execute javascript in the context of a valid user's browser session by getting the user to click on a specially crafted link. This could lead to session compromise or other browser-based attacks.
This vulnerability was discovered and reported by Michael Statman at Emes Consulting (  Micro Focus bug 986327, CVE-2016-9169


To resolve this vulnerability, apply GroupWise 2014 R2 Support Pack 1 Hot Patch 2 (or later).
Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise server components to GroupWise 2014 R2 Support Pack 1 Hot Patch 2 in order to secure their system.


Security Alert

Bug Number