IBM Support

Cross-site scripting (XSS) vulnerability in Lotus Quickr 8.1 services

Technote (troubleshooting)


There is a potential cross-site scripting (XSS) vulnerability in Lotus Quickr 8.1 services for IBM WebSphere Portal.

Secunia issued an advisory on September 28, 2009, based on APAR #LO36646. The Secunia advisory can be accessed at

Resolving the problem

This issue was originally reported to Quality Engineering and was resolved in iFix #LO36646.

LO36646 is included in the cumulative Document Manager Library iFixes available on IBM Fix Central. You can use the "APAR or SPR" search feature on Fix Central to identify and download the latest fix package that includes APAR LO36646.

Security rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: <5>
---- Impact Subscore: <2.9>
---- Exploitability Subscore: <10>
CVSS Temporal Score: <3.9>
CVSS Environmental Score: <Undefined*>
Overall CVSS Score: <3.9>
Base Score Metrics:
  • Related exploit range/Attack Vector: <Network>
  • Access Complexity: <Low>
  • Authentication <None>
  • Confidentiality Impact: <Partial>
  • Integrity Impact: <None>
  • Availability Impact: <None>
Temporal Score Metrics:
  • Exploitability: <Proof of Concept Code>
  • Remediation Level: <Official Fix>
  • Report Confidence: <Confirmed>

*The CVSS Environment Score is customer environment-specific and will ultimately impact the overall CVSS score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Document information

More support for: Lotus End of Support Products
Lotus Quickr for WebSphere Portal

Software version: 8.0, 8.1

Operating system(s): AIX, Linux, Windows

Reference #: 1405163

Modified date: 07 December 2009

Translate this page: