Cross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query.
Microsoft Exchange Outlook Web Access (OWA) is prone to HTTP response splitting attacks. This issue could permit hostile script to be injected into client sessions, which could gain access to properties of the OWA server and Web pages hosted on the site. It is noted that the attacker must authenticate to OWA to be in a position to exploit this issue. If successfully exploited, this could allow for various attacks, such as session hijacking, and content spoofing. This issue could also be used to exploit latent vulnerabilities in Web client software.
Microsoft has released a Security Bulletin that includes fixes to address this issue. Microsoft Exchange Server 5.5 SP4 Microsoft Security Update for Exchange 5.5 (KB842436) http://www.microsoft.com/downloads/details.aspx?FamilyId=66E4E033-5A4C -4EEC-84F1-31F0CA878092&displaylang=en
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.