CVE-2009-1635

Name of the Vulnerable Software and Affected Versions: Novell GroupWise versions 7.x through 7.03 HP2 and 8.x through 8.0 HP1

Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the WebAccess component. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via several vectors, including the User.lang parameter to the login page, style expressions in a message containing an HTML file, or incorrect protection mechanisms against scripting. This can be demonstrated using whitespace between JavaScript event names and values.

Recommendations: For Novell GroupWise versions 7.x through 7.03 HP2, update to version 7.03 HP3 or later. For Novell GroupWise versions 8.x through 8.0 HP1, update to version 8.0 HP2 or later.