Potential Cross Site Scripting (XSS) vulnerability in Lotus Sametime server

Technote (FAQ)


Question

In very specific scenarios, there is a possibility that a Sametime® server could be exploited by a Cross Site Scripting vulnerability.

Answer

In a specific instance, it was found that a precisely crafted Sametime meeting could potentially contain text that would expose a Cross Site Script vulnerability.

This can be addressed in Sametime 7.5.1 by applying an available hotfix. All future releases will contain this fix within the shipping version. Additionally, the same issue was not seen using the EMS server.


Security rating using the Common Vulnerability Scoring System (CVSS):

CVSS Base Score: 1.1
CVSS Temporal Score: 0.9
CVSS Environmental Score: Undefined*
Overall CVSS Score: 0.9

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links below.

Base Score Metrics:
Related exploit range/Attack Vector: Remote
Attack Complexity: High
Level of Authentication Needed: Required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Value Weighting: Normal

Temporal Score Metrics:
Availability of Exploit: Proof of Concept Code
Type of Fix available: Official Fix
Level of verification that vulnerability exists: Confirmed

References:
Complete CVSS Guide:
http://www.first.org/cvss/cvss-guide.html

Online Calculator:
http://nvd.nist.gov/cvss.cfm?calculator



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Lotus End of Support Products
Lotus Sametime

Software version:

7.5.1

Operating system(s):

AIX, Windows, i5/OS

Reference #:

1266789

Modified date:

2010-05-24

Translate my page

Machine Translation

Content navigation