Potential vulnerability in servlet engine/Web container in Lotus Domino Web servers

Technote (troubleshooting)


Problem

There is a potential cross-site scripting (XSS) vulnerability in the servlet engine/Web container in Lotus Domino Web servers. This vulnerability could be exposed by a malformed HTTP request.



The following would have to be true in order to exploit this vulnerability :

  • Domino Web (HTTP) server task must be enabled
  • Attacker must be able to authenticate and connect to the Domino Web server using a Web browser
  • Attacker, using a Web browser, must create a specific malicious HTTP request that exposes the cross-site scripting vulnerability
  • The Domino Web server processing the malicious request could result in the vulnerability

Resolving the problem

This issue was reported to Quality Engineering as SPR# MKIN7AUTAC, and has been fixed in Lotus Domino releases 7.0.3 Fix Pack 1 (FP1) and 8.0.1.



Refer to the Upgrade Central site for details on upgrading Notes/Domino.

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 3.5 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 6.8 >
CVSS Temporal Score: < 2.7 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 2.7 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < Single >
  • Confidentiality Impact: < None >
  • Integrity Impact: < Partial >
  • Availability Impact: < None >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Related information

A simplified Chinese translation is available


Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Lotus Domino Web Access
General

Software version:

7.0, 7.0.1, 7.0.2, 7.0.3, 8.0, 8.0.1

Operating system(s):

Linux, Windows

Reference #:

1303296

Modified date:

2008-05-22

Translate my page

Machine Translation

Content navigation