CVE-2009-1635

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in the WebAccess component of Novell GroupWise 7.x before 7.03 HP3 and 8.x before 8.0 HP2. Attackers can inject arbitrary web script or HTML through three vectors: (1) the User.lang parameter on the login page (gw/webacc), (2) style expressions in a message containing an HTML file, and (3) bypass of insufficient scripting protections, such as by using whitespace between JavaScript event names and values [1][2][3].

Exploitation

An unauthenticated remote attacker can exploit these vulnerabilities by crafting a malicious URL to the login page with the User.lang parameter, or by sending a specially crafted HTML email to an authenticated user. In the latter case, the user must open the email within WebAccess to trigger the script execution. The attacker can also manipulate the login page via JavaScript to cause a denial-of-service condition [4]. No authentication is required for the login page vector; user interaction is required for the email-based vectors.

Impact

Successful exploitation allows the attacker to execute arbitrary script in the context of the victim's browser, potentially leading to session hijacking, credential theft, redirection to malicious sites, unauthorized access to the victim's mailbox, or defacement of the login page preventing legitimate logins [2][3][4].

Mitigation

Novell released fixes: GroupWise 7.x systems should apply GroupWise 7.03 Hot Patch 3 (HP3) or later; GroupWise 8.0 systems should apply GroupWise 8.0 Hot Patch 2 (HP2) or later [2][3][4]. There are no known workarounds; upgrading is the recommended action. This CVE is not listed on CISA's Known Exploited Vulnerabilities Catalog.