Potential cross-site scripting vulnerabilities in Lotus iNotes ultra-light mode

Technote (troubleshooting)


Secunia contacted IBM Lotus to report several potential cross-site scripting vulnerabilities in Lotus iNotes ultra-light mode. Link to Secunia advisory http://secunia.com/advisories/38026/

Resolving the problem

To exploit these vulnerabilities the following would have to happen :

(1) A user's mail file must be using a design which includes the iNotes ultra-light mode design (first introduced in version 8.0.2)

(2) An attacker would have to create and send a malicious URL to the user

(3) The iNotes ultra-light mode enabled user would need to be enticed to click on the malicious URL

Note: iNotes users do not have to be using ultra-light mode to be vulnerable; ultra-light mode just has to be enabled for their server and mail file.

Three potential scenarios have been identified where HTML or script code could be inserted into the following areas:

(1) Ultra-light mode "Edit Contact" scene

(2) Unsupported browser page

(3) Status alerts in ultra-light mode

Fixed in releases

-- iNotes 8.5.1 (See technote #4023729 for download information)

-- iNotes cumulative hotfix 229.261 for Domino 8.0.2 Fix Pack 3 (Available on Fix Central; See technote #7017776 for more information)

SPR # Issue
LSHR7TBLY5 Inserting HTML or script code into the ultra-light mode edit contact scene
LSHR7TBMQU Inserting HTML or script code into the unsupported browser page.
LSHR7TBM58 Inserting HTML or script code into the status alerts in ultra-light mode

Additional Background

In general, users are strongly urged to use caution when opening or following unsolicited URLs especially if the actual link points somewhere you wouldn't expect. Users can see the actual URL target of link text by displaying the properties of that link, usually by right-clicking on the link text and selecting 'properties'.

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 3.5 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: < 6.8 >
CVSS Temporal Score: < 2.7 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 2.7 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < Single Instance >
  • Confidentiality Impact: < None >
  • Integrity Impact: < Partial >
  • Availability Impact: < None >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >

*The CVSS Environment Score is customer-environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Related information Lotus iNotes 229.261 Cumulative Interim Fix
Fix Central

Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications IBM iNotes Linux, Mac OS X, Windows 8.5.1, 8.5

Document information

More support for:

Lotus Domino Web Access

Software version:


Operating system(s):

Linux, OS X, Windows

Reference #:


Modified date:


Translate my page

Content navigation