CVE-2009-4662
Description
Cross-site scripting (XSS) vulnerability in the WebAccess component in Novell GroupWise 7.0 before 7.03 HP4 and 8.0 before 8.0 SP1 allows remote attackers to inject arbitrary web script or HTML via the User.Theme.index parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in Novell GroupWise WebAccess via User.Theme.index parameter allows remote attackers to inject arbitrary web script or HTML.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in the WebAccess component of Novell GroupWise versions 7.0 up to and including 7.03 HP3, and 8.0 up to and including 8.0.0 HP2. The flaw is located in the User.Theme.index parameter, which is not properly sanitized, allowing injection of arbitrary web script or HTML [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL containing script code in the User.Theme.index parameter. When a victim clicks on such a URL, the injected script executes in the context of the victim's browser. No prior authentication is required, and the attack can be performed remotely [2].
Impact
Successful exploitation leads to cross-site scripting, enabling the attacker to execute arbitrary JavaScript in the user's browser. This can result in session hijacking, defacement, or redirection to malicious sites. The attacker may also steal sensitive information displayed in the browser [2].
Mitigation
Novell has released fixes for this issue. For GroupWise 7.x systems, apply GroupWise 7.03 Hot Patch 4 (HP4) or later. For GroupWise 8.0 systems, apply GroupWise 8.0 Support Pack 1 (SP1) or later. No workarounds are documented [2].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8cpe:2.3:a:novell:groupwise:7.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:novell:groupwise:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.01:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.03:*:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.0:sp1:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.0:sp2:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:7.0:sp3:*:*:*:*:*:*
- cpe:2.3:a:novell:groupwise:8.0:*:*:*:*:*:*:*
- (no CPE)range: 7.0 before 7.03 HP4, 8.0 before 8.0 SP1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- secunia.com/advisories/36746nvdVendor Advisory
- www.novell.com/support/viewContent.donvdVendor Advisory
- www.vupen.com/english/advisories/2009/2689nvdVendor Advisory
- www.securityfocus.com/bid/36437nvd
- www.securitytracker.com/idnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/53322nvd
News mentions
0No linked articles in our index yet.