Novell GroupWise contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the WebAccess component does not validate the "Directory.Item.name" and "Directory.Item.displayName" parameters upon submission to the address book. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Upgrade to version 8.02 Hot Patch 3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2011-2661 (see also: NVD)
• Secunia Advisory ID: 43513
• Bugtraq ID: 49935
• Related OSVDB ID: 75769 75770 75771 75772 75774 75775
• Vendor Specific Advisory URL: http://www.novell.com/support/viewContent.do?externalId=7009214
• Vendor Specific News/Changelog Entry: https://bugzilla.novell.com/show_bug.cgi?id=702786

• Joshua Tiago - via Secunia