CVE-2009-1635Cross-site Scripting in Groupwise

CWE-79Cross-site ScriptingCWE-662Improper SynchronizationCWE-362Race ConditionCWE-672Operation on a Resource after Expiration or ReleaseCWE-476NULL Pointer Dereference4 documents4 sources
Severity
4.3MEDIUMNVD
EPSS
0.4%
top 39.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Novell Groupwise
Timeline
PublishedMay 22
Latest updateMay 2

Description

Multiple cross-site scripting (XSS) vulnerabilities in the WebAccess component in Novell GroupWise 7.x before 7.03 HP3 and 8.x before 8.0 HP2 allow remote attackers to inject arbitrary web script or HTML via (1) the User.lang parameter to the login page (aka gw/webacc), (2) style expressions in a message that contains an HTML file, or (3) vectors associated with incorrect protection mechanisms against scripting, as demonstrated using whitespace between JavaScript event names and values.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDnovell/groupwise8 versions+7

Patches

Patch: www.novell.comPatch: www.novell.com

🔴Vulnerability Details

2
GHSA
GHSA-9q45-jm89-64q7: Multiple cross-site scripting (XSS) vulnerabilities in the WebAccess component in Novell GroupWise 72022-05-02
CVEList
CVE-2009-1635: Multiple cross-site scripting (XSS) vulnerabilities in the WebAccess component in Novell GroupWise 72009-05-22

📋Vendor Advisories

1
Red Hat
kernel: nfsv4: kernel panic in nfs4_proc_lock()2008-10-22
CVE-2009-1635 — Cross-site Scripting in Groupwise | cvebase