CVE-2008-2247

Name of the Vulnerable Software and Affected Versions: Outlook Web Access (OWA) for Exchange Server 2003 SP2

Description: The issue is a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via unspecified e-mail fields. Exploitation of this issue could lead to elevation of privilege on individual OWA clients connecting to Outlook Web Access for Exchange Server. An attacker would have to convince a user to open a specially crafted e-mail that would run malicious script from within an individual OWA client. If the malicious script is executed, it would run in the security context of the user’s OWA session and could perform any action the user could perform, such as reading, sending, and deleting e-mail as the logged-on user.

Recommendations: As a temporary workaround, consider restricting access to e-mail fields that could be used to inject malicious scripts until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.