Microsoft Outlook Web Access for Exchange Server Multiple Cross-Site Scripting Vulnerabilities( 09 July 2008 )

1. Outlook Web Access for Exchange Server Data Validation Cross-Site Scripting Vulnerability

This is a cross-site scripting vulnerability in the affected versions of Outlook Web Access (OWA) for Exchange Server. Exploitation of the vulnerability could lead to elevation of privilege on individual OWA clients connecting to Outlook Web Access for Exchange Server. To exploit the vulnerability, an attacker would have to convince a user to open a specially crafted e-mail that would run malicious script from within an individual OWA client. If the malicious script is executed, the script would run in the security context of the user's OWA session and could perform any action the user could perform such as reading, sending, and deleting e-mail as the logged-on user.

2. Outlook Web Access for Exchange Server HTML Parsing Cross-Site Scripting Vulnerability

This is a cross-site scripting vulnerability in the affected versions of Outlook Web Access (OWA) for Exchange Server. Exploitation of the vulnerability could lead to elevation of privilege on individual OWA clients connecting to Outlook Web Access for Exchange Server. To exploit the vulnerability an attacker would have to convince a user to open a specially crafted e-mail that would run malicious script from within an individual OWA client. The script would run in the security context of the user's OWA session and could perform any action the user could perform, such as reading, sending, and deleting e-mail as the logged-on user.