Reported August 10, 2004, by Microsoft

VERSIONS AFFECTED

  • Microsoft Exchange Server 5.5 Service Pack 4 (SP4) with Microsoft Outlook Web Access (OWA)
     

DESCRIPTION
A cross-site scripting and spoofing vulnerability in Exchange 5.5 SP4 could let an attacker convince an OWA user to run a malicious script. This vulnerability could let an attacker access any data on the OWA server that the user could access.

VENDOR RESPONSE
Microsoft has released bulletin MS04-026, "Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842436)," to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.

CREDIT
Discovered by Microsoft.