Security Bulletin: IBM Lotus Domino Web Server Open Redirect (CVE-2012-4842) and Cross-site Scripting (CVE-2012-4844) Vulnerabilities

Technote (troubleshooting)


Problem

IBM Lotus Domino Web server has one open redirect vulnerability and one cross-site scripting vulnerability. Fixes for these issues are planned for release 9.0 and upcoming Fix Packs.

Resolving the problem


VULNERABILITY DETAILS: IBM Lotus Domino Web Server Open Redirect

CVE ID: CVE-2012-4842

DESCRIPTION: A remote unauthenticated attacker could exploit a security vulnerability in IBM Lotus Domino Web server to redirect to a specified URL.

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security rating for this issue is:

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79232 for the current score.
CVSS Environmental Score: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Access Vector: Network Access Complexity: Medium
Authentication: No Confidentiality Impact: None
Integrity Impact: Partial Availability Impact: None


AFFECTED PLATFORMS:


IBM Lotus Domino 8.5.3 and earlier.

REMEDIATION:

Fix:

This issue is being tracked as SPR KLYH8WBPRN and a fix is planned for release 9.0. To track availability, refer to Notes/Domino Fix List Upcoming Releases.

Workaround:

None

Mitigation(s):

None


VULNERABILITY DETAILS: IBM Lotus Domino Cross-site Scripting

CVE ID: CVE-2012-4844


DESCRIPTION: A remote unauthenticated attacker could exploit a security vulnerability in IBM Lotus Domino Web server to expose user personal data.

CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for these issues are:

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/79233 for the current score.
CVSS Environmental Score: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Access Vector: Network Access Complexity: Medium
Authentication: No Confidentiality Impact: None
Integrity Impact: Partial Availability Impact: None


AFFECTED PLATFORMS:

IBM Lotus Domino 8.5.x.


REMEDIATION:

Fix:

This issue is being tracked as SPR KLYH8WBPRN and is fixed in 9.0 and 8.5.3 Fix Pack 4.

Workaround:

None

Mitigation(s):

None



    REFERENCES:


    RELATED INFORMATION:
    ACKNOWLEDGEMENT:
    These vulnerabilities were reported to IBM by researcher Eugene Dokukin (MustLive). For further information, refer to the following Web site: http://websecurity.com.ua/5839/

    Rate this page:

    (0 users)Average rating

    Document information


    More support for:

    IBM Domino
    Security

    Software version:

    8.5, 8.5.1, 8.5.2, 8.5.3

    Operating system(s):

    AIX, AIX 64bit, IBM i, Linux, Linux iSeries, Linux zSeries, Solaris, Windows, Windows 64bit, i5/OS, z/OS

    Reference #:

    1614077

    Modified date:

    2012-11-30

    Translate my page

    Machine Translation

    Content navigation