CVE-2009-1635 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in the WebAccess component in Novell GroupWise 7.x before 7.03 HP3 and 8.x before 8.0 HP2 allow remote attackers to inject arbitrary web script or HTML via (1) the User.lang parameter to the login page (aka gw/webacc) (2) style expressions in a message that contains an HTML file or (3) vectors associated with incorrect protection mechanisms against scripting as demonstrated using whitespace between JavaScript event names and values.

Reference

http://packetstorm.linuxsecurity.com/0905-exploits/groupwise-xss.txt http://secunia.com/advisories/35177 http://securitytracker.com/id?1022267 http://www.novell.com/support/search.do?cmd=displayKC&externalId=7003271 http://www.novell.com/support/viewContent.do?externalId=7003267&sliceId=1 http://www.novell.com/support/viewContent.do?externalId=7003268&sliceId=1 http://www.securityfocus.com/archive/1/503700/100/0/threaded http://www.securityfocus.com/archive/1/503885/100/0/threaded http://www.securityfocus.com/bid/35061 http://www.securityfocus.com/bid/35066 http://www.vupen.com/english/advisories/2009/1393 https://bugzilla.novell.com/show_bug.cgi?id=472987 https://bugzilla.novell.com/show_bug.cgi?id=474500 https://bugzilla.novell.com/show_bug.cgi?id=484942 https://exchange.xforce.ibmcloud.com/vulnerabilities/50672 https://exchange.xforce.ibmcloud.com/vulnerabilities/50689 https://exchange.xforce.ibmcloud.com/vulnerabilities/50691