Reported December 6, 2001, by Microsoft.
Microsoft Exchange Server 5.5 using Outlook Web Access
A vulnerability exists in the Microsoft Exchange Server 5.5 Outlook Web Access (OWA) service that lets an attacker take any action on the user’s mailbox that the user can take, including deleting, moving and sending messages. The vulnerability results from a problem in the way that OWA handles inline script messages used in conjunction with Internet Explorer (IE). If the attacker uses OWA to open an HTML message containing a specially formed script, the script executes under the user’s security context.
Discovered by Lex Arquette of WhiteHat Security.