Secunia contacted IBM® Lotus® to report a potential cross-site scripting (XSS) vulnerability with the IBM Lotus Sametime® client.
The advisory can be accessed at the following link :
There is a possibility that a Sametime client chat connection could be exploited by a cross-site scripting vulnerability.
In order for an attacker to successfully exploit this vulnerability, the following must be accomplished:
- User must be using Lotus Sametime for chat purposes
- Attacker must establish a chat connection with the user
- Attacker must send specifically crafted content to the user through the chat window
- User must hover the mouse over the content that is displayed in the chat window
The mouse-over action has been found to initiate the execution of the cross-site scripting vulnerability.
This issue was reported to Quality Engineering as SPR# RDES79TU9C, and has been fixed in Lotus Sametime version 8.0 and is targeted for the next release in the 7.5.1 code stream. Refer to the Upgrade Central site for details on upgrading your Lotus Sametime version to one of these releases.
Note: This issue impacts the Lotus Sametime Chat client only.
For customers who have deployed Sametime 7.5.1 Cumulative Fix 1 (CF1), and are currently unable to upgrade to a release which has resolved the vulnerability, a patch is available. Contact IBM Support to request the patch.
|Security Rating using Common Vulnerability Scoring System (CVSS) v2|
|CVSS Base Score: < 5 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 10 >
CVSS Temporal Score: < 3.9 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 3.9 >
|Base Score Metrics:
|Temporal Score Metrics:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.