Novell GroupWise WebAccess Login Page User.lang Parameter XSS

This script is Copyright (C) 2009-2012 Tenable Network Security, Inc.


Synopsis :

The web application running on the remote host has a
cross-site scripting vulnerability.

Description :

The remote host is running Novell GroupWise WebAccess, which is
vulnerable to a cross-site scripting issue in the 'User.lang' field
of the login page.

There are other issues known to be associated with this version of
GroupWise WebAccess that Nessus has not tested for. Refer to the
Secunia advisory for details.

See also :

http://www.securityfocus.com/archive/1/503700/30/0/threaded
http://www.nessus.org/u?cc5f3ba8

Solution :

Upgrade to version 7.03 HP3 / 8.0 HP2 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 38927 (groupwise_webaccess_userlang_xss.nasl)

Bugtraq ID: 35061

CVE ID: CVE-2009-1635