CVE-2009-1762
Description
Multiple cross-site scripting (XSS) vulnerabilities in the WebAccess login page (aka gw/webacc) in Novell GroupWise 7.x before 7.03 HP2 allow remote attackers to inject arbitrary web script or HTML via the (1) GWAP.version or (2) User.Theme (aka User.Theme.index) parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in Novell GroupWise WebAccess login page allow remote attackers to inject arbitrary web script or HTML via the GWAP.version and User.Theme parameters.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in the Novell GroupWise WebAccess login page (gw/webacc) in GroupWise 7.x before 7.03 HP2 and GroupWise 8.0 before 8.0.0 HP1 [2]. The flaws are located in the handling of the GWAP.version and User.Theme (also known as User.Theme.index) parameters.
Exploitation
An attacker can exploit these vulnerabilities by sending a crafted request to the login page with malicious JavaScript or HTML embedded in either the GWAP.version or User.Theme parameter. No authentication is required; the attacker only needs network access to the GroupWise WebAccess server. The injected script executes in the context of the victim's browser when the page loads.
Impact
Successful exploitation allows the attacker to inject arbitrary web script or HTML, potentially defacing the login page, stealing credentials, or performing other malicious actions within the security context of the affected site. This could prevent legitimate users from logging in or lead to further compromise.
Mitigation
Novell released patches to address these issues. For GroupWise 7.x, apply Hot Patch 3 (HP3) or later. For GroupWise 8.0, apply Hot Patch 2 (HP2) or later [2]. No workarounds are documented. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
14cpe:2.3:a:novell:groupwise:7.0:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:novell:groupwise:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.0.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.0.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.01:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.02x:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.03:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.03:hp1a:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.03:hp2:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.0:sp3:*:*:*:*:*:*
- (no CPE)range: <7.03 HP2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.novell.com/support/search.donvdPatchVendor Advisory
- packetstorm.linuxsecurity.com/0905-exploits/groupwise-xss.txtnvd
- secunia.com/advisories/35177nvd
- securitytracker.com/idnvd
- www.securityfocus.com/archive/1/503700/100/0/threadednvd
- www.securityfocus.com/bid/35061nvd
- www.vupen.com/english/advisories/2009/1393nvd
- bugzilla.novell.com/show_bug.cginvd
News mentions
0No linked articles in our index yet.