A script injection vulnerability exists in Microsoft Exchange Server running Outlook Web Access.
Microsoft Outlook Web Access (OWA) is a service of Exchange Server. OWA allows authorized users to read and send email, manage their calendar, and perform other functions on an Exchange server via the Web.
Outlook Web Access fails to correctly filter script contained in an email message under certain circumstances. This results in a vulnerability that could allow an attacker to supply script that would be executed by a user using OWA to read email.
A remote attacker with the ability to supply an email message containing specially crafted script may be able to execute the script in the security context of the victim user on the client system. Microsoft states that user interaction is required to exploit this vulnerability.
Apply a patch
Thanks to Microsoft for reporting this vulnerability. Microsoft, in turn, credits Daniel Fabian of SEC Consult with reporting this issue to them.
This document was written by Chad R Dougherty.
|Date First Published:||2006-06-13|
|Date Last Updated:||2006-06-13 20:42 UTC|