>> Microsoft Exchange Server Cross Site Scripting Issues (MS08-039)
Title : Microsoft Exchange Server Cross Site Scripting Issues (MS08-039) VUPEN ID : VUPEN/ADV-2008-2021 CVE ID : CVE-2008-2247 - CVE-2008-2248 CWE ID : CWE-79
Rated as : Moderate Risk
Remotely Exploitable : Yes Locally Exploitable : Yes Release Date : 2008-07-08
Technical Description
Two vulnerabilities have been identified in Microsoft Exchange Server, which could be exploited by attackers to disclose or manipulate email data.
The first issue is caused by an error in Outlook Web Access (OWA) for Exchange Server that does not sufficiently validate email fields when opening mail from within an individual client's OWA session, which could allow attackers to execute malicious script in the security context of a user's OWA session via a specially crafted email, and read, send, and delete emails as the logged-on user.
The second vulnerability is caused by an error in Outlook Web Access (OWA) for Exchange Server that does not sufficiently validate HTML when rendering e-mail from within an individual OWA client session, which could be exploited by attackers to execute malicious script by tricking a user into opening a specially crafted email.
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback If you have additional information or corrections for this security advisory please submit them via our contact form.
