SkipNavigation
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric



 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

 

Vulnerability Note VU#435444

Microsoft Outlook Web Access (OWA) contains cross-site scripting vulnerability in the "Compose New Message" form

Overview

There is a cross-site scripting vulnerability in Microsoft Outlook Web Access.

I. Description

The "Compose New Message" form of the Outlook Web Access (OWA) component of Microsoft Exchange 5.5 contains a cross-site scripting vulnerability. For more information about cross-site scripting vulnerabilities, see For more information on this particular cross-site scripting vulnerability, see Microsoft Security Bulletin MS03-047.

II. Impact

If an attacker can trick or entice a user to follow a link, the attacker can execute script as the victim in the context of the zone in which the Outlook server resides. For example, this could permit the attacker to gain access to messages stored on the server.

III. Solution

Apply a patch as described in Microsoft Security Bulletin MS03-047.

Systems Affected

VendorStatusDate Updated
Microsoft CorporationVulnerable15-Oct-2003

References


http://www.microsoft.com/technet/security/bulletin/MS03-047.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;828489
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/crssite.asp
http://search.cert.org/query.html?col=certadv&col=vulnotes&qt=cross-site+scripting

Credit

Our thanks to Microsoft for the information contained in their bulletin. Microsoft has credited Ory Segal of Sanctum Inc. for discovering the vulnerability.

This document was written by Shawn Hernan based on information in Microsoft Security Bulletin MS03-047.

Other Information

Date Public10/15/2003
Date First Published10/15/2003 10:31:07 PM
Date Last Updated10/16/2003
CERT Advisory 
CVE NameCAN-2003-0712
US-CERT Technical Alerts 
Metric14.18
Document Revision5

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2003 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader