Microsoft Outlook Web Access XSS

2003-10-15T17:36:27
ID OSVDB:2679
Type osvdb
Reporter OSVDB
Modified 2003-10-15T17:36:27

Description

Vulnerability Description

Microsoft Exchange Outlook Web Access (OWA) contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user supplied input variables upon submission to the "Compose New Message" form. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

Short Description

Microsoft Exchange Outlook Web Access (OWA) contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate user supplied input variables upon submission to the "Compose New Message" form. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Secunia Advisory ID:10016 Microsoft Security Bulletin: MS03-047 ISS X-Force ID: 13421 CVE-2003-0712 CERT VU: 435444 Bugtraq ID: 8832