Ga?l Delalleau has reported a vulnerability in Microsoft Exchange Server, which can be exploited by malicious people to conduct script insertion attacks.
The vulnerability is caused due to insufficient validation of HTML messages in Outlook Web Access. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site when a specially crafted message is viewed.
SOFTWARE:
Microsoft Exchange 5.5
SOLUTION:
Apply patch.
Microsoft Exchange Server 5.5 (requires Service Pack 4):
http://www.microsoft.com/downloads/details.aspx?familyid=08435B77-9F3A-40F5-B13A-A7019CB1C244
PROVIDED AND/OR DISCOVERED BY:
Ga?l Delalleau
ORIGINAL ADVISORY:
MS05-029 (KB895179):
http://www.microsoft.com/technet/security/bulletin/ms05-029.mspx
iDEFENSE:
http://idefense.com/application/poi/display?id=261&type=vulnerabilities
VERIFY ADVISORY:
http://secunia.com/advisories/15697/
Secunia Security Advisories
http://community.securityteam.us/article.php/20050615073546360