Vulnerability Note VU#300373

Microsoft Outlook Web Access vulnerable to cross-site scripting

Original Release date: 14 Jun 2005 | Last revised: 14 Jun 2005


Microsoft Outlook Web Access may be vulnerable to cross-site scripting attacks.


Microsoft Outlook Web Access (OWA) allows users to access their email accounts on a Microsoft Exchange server from another host through a web browser.

Microsoft Outlook Web Access for Exchange Server 5.5 contains a flaw in the HTML encoding routines used in the Compose New Message form that may allow an attacker to send a specially-crafted message to a user which then in turn runs a malicious script in the security context of the user reading the mail message.


A remote unauthenticated attacker may be able to execute arbitrary script code in the security context of the user reading the mail.


Apply An Update

Please see Microsoft Security Bulletin MS05-029 for more information, such as workarounds and patches.

    Utilize Workarounds

    Microsoft Security Bulletin MS05-029 recommends a number of workarounds, including:

    Uninstall Outlook Web Access

    Disable Outlook Web Access for each Exchange site

    Modify the Read.asp file to not encode HTML mail with the appropriate HTML markup

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-14 Jun 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to Microsoft for information on this issue, who in turn thank GaŽl Delalleau working with iDEFENSE for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

  • CVE IDs: CAN-2005-0563
  • Date Public: 14 Jun 2005
  • Date First Published: 14 Jun 2005
  • Date Last Updated: 14 Jun 2005
  • Severity Metric: 11.70
  • Document Revision: 6


If you have feedback, comments, or additional information about this vulnerability, please send us email.