{"type": "osvdb", "published": "2005-07-15T04:27:31", "href": "https://vulners.com/osvdb/OSVDB:18064", "hashmap": [{"key": "affectedSoftware", "hash": "c66a4b67f24bf34fd1337a087fc04bc9"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "5d5ad23362b294f7546cf61b18b9b08e"}, {"key": "cvss", "hash": "6e9bdd2021503689a2ad9254c9cdf2b3"}, {"key": "description", "hash": "59dfd8208b9275528c83f275c336ee4f"}, {"key": "href", "hash": "62a4a05d404817c483131159df6c4890"}, {"key": "modified", "hash": "86c21aed0a865031dbf1b272f248c473"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "86c21aed0a865031dbf1b272f248c473"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "ab6f3ad0e51e281b61ac53337275a4b8"}, {"key": "title", "hash": "0845795643a5def55bcd358ae0e6ffd9"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/", "score": 4.3}, "viewCount": 0, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "Francisco Amato(famato@infobyte.com.ar)", "title": "Novell GroupWise WebAccess E-Mail IMG SRC XSS", "affectedSoftware": [{"operator": "eq", "version": "6.5 SP4", "name": "Novell Groupwise"}], "enchantments": {"score": {"vector": "NONE", "value": 4.3}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-2276"]}, {"type": "exploitdb", "idList": ["EDB-ID:26001"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:9230"]}, {"type": "nessus", "idList": ["GROUPWISE_WEBACCESS_XSS.NASL"]}], "modified": "2017-04-28T13:20:14"}, "vulnersScore": 4.3}, "references": [], "id": "OSVDB:18064", "hash": "58b6e5ec277b2bcf7136ac538b448165c3d0aa9b9fb2ce88c588353038c891c1", "lastseen": "2017-04-28T13:20:14", "cvelist": ["CVE-2005-2276"], "modified": "2005-07-15T04:27:31", "description": "## Vulnerability Description\nNovell GroupWise WebAccess contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate e-mail message upon submission to the dynamically generated web content. This could allow a user to send a specially crafted e-mail that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Solution Description\nUpgrade to version 6.5 (dated after 11/7/2005) or 6.5 SP5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nNovell GroupWise WebAccess contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate e-mail message upon submission to the dynamically generated web content. This could allow a user to send a specially crafted e-mail that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.\n## Manual Testing Notes\nSend a e-mail with the following html code:\n<IMG SRC=\"j&#X41vascript:alert(document.cookie)\">\n## References:\n[Vendor Specific Advisory URL](http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098301.htm)\nSecurity Tracker: 1014515\n[Secunia Advisory ID:16098](https://secuniaresearch.flexerasoftware.com/advisories/16098/)\nOther Advisory URL: http://www.infobyte.com.ar/adv/ISR-11.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-07/0322.html\nKeyword: TID10098301\nISS X-Force ID: 21421\n[CVE-2005-2276](https://vulners.com/cve/CVE-2005-2276)\nBugtraq ID: 14310\n"}

{"cve": [{"lastseen": "2017-07-11T11:14:56", "bulletinFamily": "NVD", "description": "Cross-site scripting (XSS) vulnerability in Novell Groupwise WebAccess 6.5 before July 11, 2005 allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an encoded javascript URI (e.g. \"j&#X41vascript\" in an IMG tag.", "modified": "2017-07-10T21:32:47", "published": "2005-07-26T00:00:00", "id": "CVE-2005-2276", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2276", "title": "CVE-2005-2276", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:41", "bulletinFamily": "scanner", "description": "The remote host is running a version of GroupWise WebAccess from Novell that fails to sanitize email messages of HTML and script code embedded in IMG tags. An attacker can exploit this flaw to launch cross-site scripting attacks against users of WebAccess by sending them specially crafted email messages.", "modified": "2018-11-15T00:00:00", "id": "GROUPWISE_WEBACCESS_XSS.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=19228", "published": "2005-07-20T00:00:00", "title": "Novell GroupWise WebAccess Email IMG SRC XSS", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19228);\n script_version(\"1.23\");\n script_cvs_date(\"Date: 2018/11/15 20:50:19\");\n\n script_cve_id(\"CVE-2005-2276\");\n script_bugtraq_id(14310);\n\n script_name(english:\"Novell GroupWise WebAccess Email IMG SRC XSS\");\n script_summary(english:\"Checks for cross-site scripting vulnerability in GroupWise WebAccess\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a script that is affected by a cross-\nsite scripting issue.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of GroupWise WebAccess from\nNovell that fails to sanitize email messages of HTML and script code\nembedded in IMG tags. An attacker can exploit this flaw to launch\ncross-site scripting attacks against users of WebAccess by sending\nthem specially crafted email messages.\");\n # https://web.archive.org/web/20060207021932/http://www.infobyte.com.ar/adv/ISR-11.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b5e9b54a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Jul/320\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098301.htm\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to GroupWise 6.5 SP5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/07/20\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:novell:groupwise_webaccess\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nport = get_http_port(default:80);\n\n# The aboutpqa.htm associated with the Palm app often has more detailed info\n# but isn't necessarily upgraded so check only if Report Paranoia is\n# set to Paranoid.\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nw = http_send_recv3(method:\"GET\", item:\"/com/novell/webaccess/palm/en/aboutpqa.htm\", port:port);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = w[2];\n# nb: looks like:\n# <BR>Program Release:\n# <BR>6.5.4\nif (\"<BR>Program Release:\" >< res) {\n res = strstr(res, \"Program Release:\");\n pat = \"^<BR>([0-9].+)$\";\n if (egrep(string:res, pattern:pat, icase:TRUE)) {\n matches = egrep(pattern:pat, string:res, icase:TRUE);\n foreach match (split(matches)) {\n match = chomp(match);\n ver = eregmatch(pattern:pat, string:match);\n if (!isnull(ver)) {\n ver = ver[1];\n break;\n }\n }\n }\n}\n\n# If that failed, try to get it from WebAccess' main page.\nif (isnull(ver)) {\n w = http_send_recv3(method:\"GET\", item:\"/servlet/webacc\", port:port);\n if (isnull(w)) exit(1, \"the web server did not answer\");\n res = w[2];\n\n # Look for the version number in the banner.\n pat = \"^<BR>Version ([0-9].+)\";\n if (egrep(string:res, pattern:pat, icase:TRUE)) {\n matches = egrep(pattern:pat, string:res, icase:TRUE);\n foreach match (split(matches)) {\n match = chomp(match);\n ver = eregmatch(pattern:pat, string:match);\n if (!isnull(ver)) {\n ver = ver[1];\n # nb: 6.5 by itself doesn't give us enough details.\n if (ver =~ \"^6\\.5$\") {\n ver = NULL;\n }\n break;\n }\n }\n }\n}\n\n# Versions 6.5.4 and below are affected.\nif (ver && ver =~ \"^([0-5]\\.|6\\.([0-4]|5\\.[0-4]))\") {\n security_warning(port);\n set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:13", "bulletinFamily": "software", "description": "||\r\n|| [ISR]\r\n|| Infobyte Security Research\r\n|| www.infobyte.com.ar\r\n|| 07.19.2005\r\n|| \r\n\r\n\r\n.:: SUMMARY \r\n\r\nNovell Groupwise WebAccess Cross-Site Scripting \r\n\r\nVersion: GroupWise 6.5 SP4, It is suspected that all previous versions of \r\nGroupwise WebAccess\r\nare vulnerable. \r\n\r\n.:: BACKGROUND \r\n\r\nGroupWise WebAccess is Novell&#39;s premier Intranet/Internet GroupWare solution \r\nfor the Web. \r\n\r\nMore info: http://www.novell.com \r\n\r\n.:: DESCRIPTION \r\n\r\nRemote explotation of Cross-Site Scripting due to failure of the application \r\nto properly\r\nsanitize user-supplied input prior to including it in dynamically generated \r\nWeb content. \r\n\r\nTo reproduce this, send a e-mail with the following html code: \r\n\r\n&lt;IMG SRC=&quot;j&amp;#X41vascript:alert&#40;document.cookie&#41;&quot;&gt; \r\n\r\nIt show a simple code of example to execute script in the browser of an \r\nunsuspecting user.\r\nThis issue may allow for the theft of authentication credentials. \r\n\r\n.:: VENDOR RESPONSE \r\n\r\nVendor advisory:\r\n http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098301.htm \r\n\r\nVendor patch:\r\n http://support.novell.com/filefinder/16963/beta.html\r\n The filename is fwa655d.exe\r\n\r\n.:: CVE INFORMATION \r\n\r\nId: CAN-2005-2276\r\nWeb: http://cve.mitre.org\r\n\r\n.:: DISCLOSURE TIMELINE \r\n\r\n06/14/2005 Initial vendor notification\r\n06/14/2005 Initial vendor response\r\n07/19/2005 Coordinated public disclosure \r\n\r\n.:: CREDIT \r\n\r\nFrancisco Amato is credited with discovering this vulnerability.\r\nfamato][at][infobyte][dot][com][dot][ar \r\n\r\n.:: LEGAL NOTICES \r\n\r\nCopyright &#40;c&#41; 2005 by [ISR] Infobyte Security Research.\r\nPermission to redistribute this alert electronically is granted as long as \r\nit is not\r\nedited in any way unless authorized by Infobyte Security Research Response.\r\nReprinting the whole or part of this alert in any medium other than \r\nelectronically\r\nrequires permission from infobyte com ar \r\n\r\nDisclaimer\r\nThe information in the advisory is believed to be accurate at the time of \r\npublishing\r\nbased on currently available information. Use of the information constitutes \r\nacceptance\r\nfor use in an AS IS condition. There are no warranties with regard to this \r\ninformation.\r\nNeither the author nor the publisher accepts any liability for any direct, \r\nindirect, or\r\nconsequential loss or damage arising from use of, or reliance on, this \r\ninformation. \r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2005-07-19T00:00:00", "published": "2005-07-19T00:00:00", "id": "SECURITYVULNS:DOC:9230", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9230", "title": "[Full-disclosure] [ISR] - Novell Groupwise WebAccess Cross-Site Scripting", "type": "securityvulns", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-03T02:37:49", "bulletinFamily": "exploit", "description": "Novell GroupWise 6.5 WebAccess HTML Injection Vulnerability. CVE-2005-2276 . Webapps exploit for java platform", "modified": "2005-07-15T00:00:00", "published": "2005-07-15T00:00:00", "id": "EDB-ID:26001", "href": "https://www.exploit-db.com/exploits/26001/", "type": "exploitdb", "title": "Novell GroupWise 6.5 WebAccess HTML Injection Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/14310/info\r\n\r\nNovell GroupWise WebAccess is prone to an HTML injection vulnerability. This may be used to inject hostile HTML and script code into the Web mail application. When a user opens an email containing the hostile code, it may be rendered in their browser.\r\n\r\nSuccessful exploitation could potentially allow theft of cookie-based authentication. Other attacks are also possible. \r\n\r\n<IMG SRC=\"j&#X41vascript:alert(document.cookie)\"> ", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/26001/"}]}