Potential Cross Site Scripting (XSS) Vulnerability in Domino Web Access

Technote (FAQ)


Question

Eric Beaulieu contacted IBM Lotus to report a potential Cross Site Scripting (XSS) vulnerability in Lotus® Domino® Web Access (DWA).

The advisory can be accessed at the following link:

http://secunia.com/advisories/24633/

or

http://secunia.com/



Cause

The Active Content Filter feature, which protects users from potentially malicious code execution upon reading mail in the browser, needed to be updated to account for a particular circumstance.

Answer

This issue was reported to Quality Engineering as SPR# DWHR6SYE3Z, and is addressed in the following releases:


Domino 6.5.5 Fix Pack 3 (FP3)
Domino 6.5.6
Domino 7.0.2 Fix Pack 1 (FP1)
Domino 8.0


Attack vector: Local network
Impact: Cross site scripting

Assessing this vulnerability using the Common Vulnerability Scoring System (CVSS):
CVSS Base Score: 3.5
CVSS Temporal Score: 2.7
CVSS Environmental Score: Undefined*
Overall CVSS Score: 2.7

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links below.

Base Score Metrics:
Related exploit range/Attack Vector: Remote
Attack Complexity: Low
Level of Authentication Needed: Not Required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Value Weighting: Weight confidentiality

Temporal Score Metrics:
Availability of Exploit: Proof of concept exists
Type of Fix available: Official fix
Level of verification that vulnerability exists: Confirmed

References:
Complete CVSS Guide:
http://www.first.org/cvss/cvss-guide.html

Online Calculator:
http://nvd.nist.gov/cvss.cfm?calculator



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Lotus End of Support Products
Lotus Domino Web Access

Software version:

6.5, 7.0

Operating system(s):

Linux, Windows

Reference #:

1247201

Modified date:

2010-04-28

Translate my page

Machine Translation

Content navigation