Microsoft Exchange Server Outlook Web Access Script Injection Vulnerability

ID SMNTC-18381
Type symantec
Reporter Symantec Security Response
Modified 2006-06-13T00:00:00



Microsoft Exchange Server Outlook Web Access is prone to a script-injection vulnerability. A remote attacker can exploit this issue by sending a malicious email message to a vulnerable user.

Technologies Affected

  • Microsoft Exchange Server 2000 SP3
  • Microsoft Exchange Server 2003 SP1
  • Microsoft Exchange Server 2003 SP2


Run all software as a nonprivileged user with minimal access rights.
Running all client software as an unprivileged user with minimal access rights may reduce the impact of latent vulnerabilities that affect client applications.

Do not accept communications that originate from unknown or untrusted sources.
Users should avoid opening email messages that arrive unsolicited or originate from an unfamiliar or untrusted source.

Microsoft has released an advisory including fixes to address this issue.