JPCERT/CC contacted IBM® Lotus® to report a potential cross-site scripting (XSS) vulnerability in the IBM Lotus Domino® Web server.
In order to successfully exploit this vulnerability:
(1) Domino Web Server task (HTTP) must be enabled.
(2) Attacker must create a specific malicious URL that exposes the cross-site scripting vulnerability.
(3) User must authenticate with the Domino server via a Web browser
(4) User must follow or click the malicious URL
(5) The cross-site scripting vulnerability is then executed
The advisory is available at the following link:
This issue was reported to Quality Engineering as SPR# KEMG6ZK34H, and has been fixed in Lotus Domino releases 6.5.6 Fix Pack 2 (FP2), 7.0.2 Fix Pack 2 (FP2), 7.0.3 and 8.0.
Refer to the Upgrade Central site for details on upgrading Notes/Domino.
|Security Rating using Common Vulnerability Scoring System (CVSS) v2|
|CVSS Base Score: < 4.3 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 3.4 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 3.4 >
|Base Score Metrics:
|Temporal Score Metrics:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.