CVE-2006-1193
Description
Cross-site scripting (XSS) vulnerability in Microsoft Exchange Server 2000 SP1 through SP3, when running Outlook Web Access (OWA), allows user-assisted remote attackers to inject arbitrary HTML or web script via unknown vectors related to "HTML parsing."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Microsoft Exchange Server 2000 OWA allows script injection via crafted email messages.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in Microsoft Exchange Server 2000 Service Pack 1 through Service Pack 3 when running Outlook Web Access (OWA). The flaw is due to improper HTML parsing of email messages, allowing an attacker to inject arbitrary HTML or web script. Affected software includes Exchange 2000 Server Pack 3 with the August 2004 Post-Service Pack 3 Update Rollup, as well as Exchange Server 2003 Service Pack 1 and Service Pack 2 [1][2][3].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted email containing malicious script to a user of the affected Exchange server. The user must then open the email using OWA. No authentication is required for the attacker to send the email, but user interaction is necessary to trigger the script execution [1][3].
Impact
Successful exploitation allows the attacker to execute arbitrary script in the security context of the victim user on the client system. This can lead to information disclosure, session hijacking, or other actions that the victim user could perform within OWA. Microsoft rates the severity as Important [1][2][3].
Mitigation
Microsoft released security update MS06-029 (KB912442) on June 13, 2006, which addresses this vulnerability for all affected versions. Workarounds are also documented in the bulletin, including disabling OWA or applying URLScan. No evidence of inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog exists [1][3].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3cpe:2.3:a:microsoft:exchange_server:2000:sp1:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:microsoft:exchange_server:2000:sp1:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2000:sp2:*:*:*:*:*:*
- cpe:2.3:a:microsoft:exchange_server:2000:sp3:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- secunia.com/advisories/20634nvdPatchThird Party Advisory
- securitytracker.com/idnvdPatchThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/18381nvdPatchThird Party AdvisoryVDB Entry
- docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-029nvdPatchVendor Advisory
- lists.grok.org.uk/pipermail/full-disclosure/2006-June/046892.htmlnvdMailing ListThird Party Advisory
- www.kb.cert.org/vuls/id/138188nvdThird Party AdvisoryUS Government Resource
- www.sec-consult.com/fileadmin/Advisories/20060613-0_owa_xss_noexploit.txtnvdThird Party Advisory
- www.us-cert.gov/cas/techalerts/TA06-164A.htmlnvdThird Party AdvisoryUS Government Resource
- exchange.xforce.ibmcloud.com/vulnerabilities/25550nvdThird Party AdvisoryVDB Entry
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1070nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1161nvdThird Party Advisory
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1315nvdThird Party Advisory
- www.osvdb.org/26441nvdBroken Link
- www.vupen.com/english/advisories/2006/2326nvdPermissions Required
News mentions
0No linked articles in our index yet.