Vulnerability Note VU#300373
Microsoft Outlook Web Access vulnerable to cross-site scripting
Microsoft Outlook Web Access may be vulnerable to cross-site scripting attacks.
Microsoft Outlook Web Access (OWA) allows users to access their email accounts on a Microsoft Exchange server from another host through a web browser.
Microsoft Outlook Web Access for Exchange Server 5.5 contains a flaw in the HTML encoding routines used in the Compose New Message form that may allow an attacker to send a specially-crafted message to a user which then in turn runs a malicious script in the security context of the user reading the mail message.
A remote unauthenticated attacker may be able to execute arbitrary script code in the security context of the user reading the mail.
Apply An Update
Microsoft Security Bulletin MS05-029 recommends a number of workarounds, including:
Uninstall Outlook Web Access
Disable Outlook Web Access for each Exchange site
Modify the Read.asp file to not encode HTML mail with the appropriate HTML markup
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Microsoft Corporation||Affected||-||14 Jun 2005|
CVSS Metrics (Learn More)
This document was written by Ken MacInnis.
- CVE IDs: CAN-2005-0563
- Date Public: 14 Jun 2005
- Date First Published: 14 Jun 2005
- Date Last Updated: 14 Jun 2005
- Severity Metric: 11.70
- Document Revision: 6
If you have feedback, comments, or additional information about this vulnerability, please send us email.