CVE-2016-5760

Name of the Vulnerable Software and Affected Versions Novell GroupWise versions prior to 2014 R2 Service Pack 1 Hot Patch 1

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the administrator console. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the vulnerabilities can be exploited via the token parameter to "gwadmin-console/install/login.jsp" or the PATH INFO to "gwadmin-console/index.jsp".

Recommendations For versions prior to 2014 R2 Service Pack 1 Hot Patch 1, update to 2014 R2 Service Pack 1 Hot Patch 1 or later to resolve the issue. As a temporary workaround, consider restricting access to the administrator console and avoiding the use of the token parameter in the "gwadmin-console/install/login.jsp" endpoint and the PATH INFO in the "gwadmin-console/index.jsp" endpoint until the update is applied.