Vulnerability Note VU#435444

Microsoft Outlook Web Access (OWA) contains cross-site scripting vulnerability in the "Compose New Message" form

Original Release date: 15 Oct 2003 | Last revised: 16 Oct 2003

Overview

There is a cross-site scripting vulnerability in Microsoft Outlook Web Access.

Description

The "Compose New Message" form of the Outlook Web Access (OWA) component of Microsoft Exchange 5.5 contains a cross-site scripting vulnerability. For more information about cross-site scripting vulnerabilities, see

For more information on this particular cross-site scripting vulnerability, see Microsoft Security Bulletin MS03-047.

Impact

If an attacker can trick or entice a user to follow a link, the attacker can execute script as the victim in the context of the zone in which the Outlook server resides. For example, this could permit the attacker to gain access to messages stored on the server.

Solution

Apply a patch as described in Microsoft Security Bulletin MS03-047.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-15 Oct 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Our thanks to Microsoft for the information contained in their bulletin. Microsoft has credited Ory Segal of Sanctum Inc. for discovering the vulnerability.

This document was written by Shawn Hernan based on information in Microsoft Security Bulletin MS03-047.

Other Information

  • CVE IDs: CAN-2003-0712
  • Date Public: 15 Oct 2003
  • Date First Published: 15 Oct 2003
  • Date Last Updated: 16 Oct 2003
  • Severity Metric: 14.18
  • Document Revision: 5

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.