IBM Support

Potential cross-site scripting (XSS) vulnerability in IBM Lotus Sametime client

Technote (FAQ)


Secunia contacted IBM® Lotus® to report a potential cross-site scripting (XSS) vulnerability with the IBM Lotus Sametime® client.

The advisory can be accessed at the following link :


There is a possibility that a Sametime client chat connection could be exploited by a cross-site scripting vulnerability.

In order for an attacker to successfully exploit this vulnerability, the following must be accomplished:

  • User must be using Lotus Sametime for chat purposes
  • Attacker must establish a chat connection with the user
  • Attacker must send specifically crafted content to the user through the chat window
  • User must hover the mouse over the content that is displayed in the chat window

The mouse-over action has been found to initiate the execution of the cross-site scripting vulnerability.


This issue was reported to Quality Engineering as SPR# RDES79TU9C, and has been fixed in Lotus Sametime version 8.0 and is targeted for the next release in the 7.5.1 code stream. Refer to the Upgrade Central site for details on upgrading your Lotus Sametime version to one of these releases.

Note: This issue impacts the Lotus Sametime Chat client only.

For customers who have deployed Sametime 7.5.1 Cumulative Fix 1 (CF1), and are currently unable to upgrade to a release which has resolved the vulnerability, a patch is available. Contact IBM Support to request the patch.

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 5 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 10 >
CVSS Temporal Score: < 3.9 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 3.9 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Low >
  • Authentication < None >
  • Confidentiality Impact: < None >
  • Integrity Impact: < Partial >
  • Availability Impact: < None >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Document information

More support for: Lotus End of Support Products
Lotus Sametime

Software version: 7.5

Operating system(s): Windows

Reference #: 1292938

Modified date: 18 January 2008

Translate this page: