Cross-site scripting (XSS) vulnerability in IBM Lotus Domino Web server

Technote (FAQ)


Question

JPCERT/CC contacted IBM® Lotus® to report a potential cross-site scripting (XSS) vulnerability in the IBM Lotus Domino® Web server.

In order to successfully exploit this vulnerability:

(1) Domino Web Server task (HTTP) must be enabled.

(2) Attacker must create a specific malicious URL that exposes the cross-site scripting vulnerability.

(3) User must authenticate with the Domino server via a Web browser

(4) User must follow or click the malicious URL

(5) The cross-site scripting vulnerability is then executed

The advisory is available at the following link:
http://jvn.jp/jp/JVN%2384565055/index.html


Answer

This issue was reported to Quality Engineering as SPR# KEMG6ZK34H, and has been fixed in Lotus Domino releases 6.5.6 Fix Pack 2 (FP2), 7.0.2 Fix Pack 2 (FP2), 7.0.3 and 8.0.

Refer to the Upgrade Central site for details on upgrading Notes/Domino.



Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 4.3 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 3.4 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 3.4 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < None >
  • Integrity Impact: < Partial >
  • Availability Impact: < None >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Domino
Web Server

Software version:

6.5.6, 7.0, 8.0

Operating system(s):

AIX, Linux, Solaris, Windows, z/OS

Reference #:

1263871

Modified date:

2008-03-19

Translate my page

Machine Translation

Content navigation