Skip to main content


Potential vulnerability in servlet engine/Web container in Lotus Domino Web servers

 Technote (FAQ)
 
 
Question
There is a potential cross-site scripting (XSS) vulnerability in the servlet engine/Web container in IBM® Lotus® Domino® Web servers. This vulnerability could be exposed by a malformed HTTP request.


The following would have to be true in order to exploit this vulnerability :
  • Domino Web (HTTP) server task must be enabled
  • Attacker must be able to authenticate and connect to the Domino Web server using a Web browser
  • Attacker, using a Web browser, must create a specific malicious HTTP request that exposes the cross-site scripting vulnerability
  • The Domino Web server processing the malicious request could result in the vulnerability
 
Answer
This issue was reported to Quality Engineering as SPR# MKIN7AUTAC, and has been fixed in Lotus Domino releases 7.0.3 Fix Pack 1 (FP1) and 8.0.1.


Refer to the Upgrade Central site for details on upgrading Notes/Domino.


Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 3.5 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 6.8 >
CVSS Temporal Score: < 2.7 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 2.7 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < Single >
  • Confidentiality Impact: < None >
  • Integrity Impact: < Partial >
  • Availability Impact: < None >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
 
 
 

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Rate this page

Please take a moment to complete this form to help us better serve you.

This material provides me with the information I need.






This material is clear and easy to understand.






Did the information help you to achieve your goal?

What updates, improvements, or related information would you like to see in this document?

Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.

Input the verification number to submit feedback:


Document information

Product categories:

Software

Messaging Applications

Advanced Messaging

Lotus Domino Web Access

General

Operating system(s):

Linux, Windows

Software version:

7.0, 7.0.1, 7.0.2, 7.0.3, 8.0, 8.0.1

Reference #:

1303296

IBM Group:

Software Group

Modified date:

2008-05-22

Translate my page

Rate this page