>> Microsoft Exchange Server Cross Site Scripting Issues (MS08-039)
Title : Microsoft Exchange Server Cross Site Scripting Issues (MS08-039) VUPEN ID : VUPEN/ADV-2008-2021 CVE ID : CVE-2008-2247 - CVE-2008-2248 CWE ID : CWE-79
Rated as : Moderate Risk
Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2008-07-08
Technical Description
Two vulnerabilities have been identified in Microsoft Exchange Server, which could be exploited by attackers to disclose or manipulate email data.
The first issue is caused by an error in Outlook Web Access (OWA) for Exchange Server that does not sufficiently validate email fields when opening mail from within an individual client's OWA session, which could allow attackers to execute malicious script in the security context of a user's OWA session via a specially crafted email, and read, send, and delete emails as the logged-on user.
The second vulnerability is caused by an error in Outlook Web Access (OWA) for Exchange Server that does not sufficiently validate HTML when rendering e-mail from within an individual OWA client session, which could be exploited by attackers to execute malicious script by tricking a user into opening a specially crafted email.
