{"vuid":"VU#435444","idnumber":"435444","name":"Microsoft Outlook Web Access (OWA) contains cross-site scripting vulnerability in the \"Compose New Message\" form","keywords":["Microsoft","Outlook Web Access","OWA","cross-site scripting","css","HTML encoding","Compose New Message form","Q828489","MS03-047"],"overview":"There is a cross-site scripting vulnerability in Microsoft Outlook Web Access.","clean_desc":"The \"Compose New Message\" form of the Outlook Web Access (OWA) component of Microsoft Exchange 5.5 contains a cross-site scripting vulnerability. For more information about cross-site scripting vulnerabilities, see http://www.cert.org/advisories/CA-2000-02.html\nhttp://www.cert.org/archive/pdf/cross_site_scripting.pdf\nFor more information on this particular cross-site scripting vulnerability, see Microsoft Security Bulletin MS03-047.","impact":"If an attacker can trick or entice a user to follow a link, the attacker can execute script as the victim in the context of the zone in which the Outlook server resides. For example, this could permit the attacker to gain access to messages stored on the server.","resolution":"Apply a patch as described in  Microsoft Security Bulletin MS03-047.","workarounds":"","sysaffected":"","thanks":"Our thanks to Microsoft for the information contained in their bulletin. Microsoft has credited Ory Segal of Sanctum Inc. for discovering the vulnerability.","author":"This document was written by Shawn Hernan based on information in  Microsoft Security Bulletin MS03-047.","public":["http://www.microsoft.com/technet/security/bulletin/MS03-047.asp","http://support.microsoft.com/default.aspx?scid=kb;en-us;828489","http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/news/crssite.asp","http://search.cert.org/query.html?col=certadv&col=vulnotes&qt=cross-site+scripting"],"cveids":["CVE-2003-0712"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2003-10-15T20:11:23Z","publicdate":"2003-10-15T00:00:00Z","datefirstpublished":"2003-10-16T02:31:08Z","dateupdated":"2003-10-16T18:48:11Z","revision":5,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"18","cam_exploitation":"0","cam_internetinfrastructure":"10","cam_population":"15","cam_impact":"15","cam_easeofexploitation":"15","cam_attackeraccessrequired":"8","cam_scorecurrent":"14.175","cam_scorecurrentwidelyknown":"15.1875","cam_scorecurrentwidelyknownexploited":"25.3125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":14.175,"vulnote":null}