Microsoft Outlook Web Access vulnerable to cross-site scripting

ID VU:300373
Type cert
Reporter CERT
Modified 2005-06-14T00:00:00



Microsoft Outlook Web Access may be vulnerable to cross-site scripting attacks.


Microsoft Outlook Web Access (OWA) allows users to access their email accounts on a Microsoft Exchange server from another host through a web browser.

Microsoft Outlook Web Access for Exchange Server 5.5 contains a flaw in the HTML encoding routines used in the Compose New Message form that may allow an attacker to send a specially-crafted message to a user which then in turn runs a malicious script in the security context of the user reading the mail message.


A remote unauthenticated attacker may be able to execute arbitrary script code in the security context of the user reading the mail.


Apply An Update

Please see Microsoft Security Bulletin MS05-029 for more information, such as workarounds and patches.

Utilize Workarounds

Microsoft Security Bulletin MS05-029 recommends a number of workarounds, including:

Uninstall Outlook Web Access

Disable Outlook Web Access for each Exchange site

Modify the Read.asp file to not encode HTML mail with the appropriate HTML markup

Systems Affected

Vendor| Status| Date Notified| Date Updated
Microsoft Corporation| | -| 14 Jun 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A


  • <>
  • <>


Thanks to Microsoft for information on this issue, who in turn thank Gaël Delalleau working with iDEFENSE for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

  • CVE IDs: CAN-2005-0563
  • Date Public: 14 Jun 2005
  • Date First Published: 14 Jun 2005
  • Date Last Updated: 14 Jun 2005
  • Severity Metric: 11.70
  • Document Revision: 6