CVE-2009-0273
Description
Multiple cross-site scripting (XSS) vulnerabilities in Novell GroupWise WebAccess 6.5x, 7.0, 7.01, 7.02x, 7.03, 7.03HP1a, and 8.0 allow remote attackers to inject arbitrary web script or HTML via the (1) User.id and (2) Library.queryText parameters to gw/webacc, and other vectors involving (3) HTML e-mail and (4) HTML attachments.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Novell GroupWise WebAccess is vulnerable to multiple XSS attacks via user parameters, HTML email, and attachments, allowing script injection and data theft.
Vulnerability
Novell GroupWise WebAccess versions 6.5x, 7.0, 7.01, 7.02x, 7.03, 7.03HP1a, and 8.0 contain multiple cross-site scripting (XSS) vulnerabilities. The issues arise from improper sanitization of user-supplied input in the User.id and Library.queryText parameters passed to gw/webacc, as well as in HTML email content and HTML attachments. These flaws allow both persistent and non-persistent XSS attacks [1][2].
Exploitation
An attacker can exploit these vulnerabilities by crafting malicious script or HTML and embedding it in the affected parameters, or by sending a specially crafted HTML email or attachment to a GroupWise user. The attack requires no special network position beyond normal web access to the GroupWise WebAccess interface. For the persistent variant, the injected script is stored and executed when other users view the affected content. For the non-persistent variant, a POST request with malicious payload can trigger script execution [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim's browser. This can lead to persistent defacement of the target site, theft of confidential information, or redirection to unauthorized third parties. The impact is limited to the web application layer and does not grant direct server-side control [1][2].
Mitigation
For GroupWise 7.x systems, apply GroupWise 7.03 Hot Patch 2 (HP2) or later. For GroupWise 8.0 systems, apply GroupWise 8.0 Hot Patch 1 (HP1) or later. GroupWise 6.5x is end-of-life and must be upgraded to a supported, patched version [1][2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:a:novell:groupwise:6.5:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:novell:groupwise:6.5:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.01:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.02x:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.03:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.03:hp1a:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:8.0:*:*:*:*:*:*:*
- Range: >=6.5x, <=8.0 (multiple versions)
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- www.novell.com/support/search.donvdVendor Advisory
- www.novell.com/support/search.donvdVendor Advisory
- secunia.com/advisories/33744nvd
- www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-22nvd
- www.procheckup.com/vulnerability_manager/vulnerabilities/pr08-23nvd
- www.securityfocus.com/archive/1/500572/100/0/threadednvd
- www.securityfocus.com/archive/1/500575/100/0/threadednvd
- www.securityfocus.com/bid/33537nvd
- www.securityfocus.com/bid/33541nvd
News mentions
0No linked articles in our index yet.