Security Bulletin: Vulnerability in Sametime Links (CVE-2013-0533)

Flash (Alert)


Abstract

Sametime Links can be exploited to create a DOM-based XSS vulnerability. A fix is provided.

Content

CVE-ID: CVE-2013-0533


DESCRIPTION


The Lotus iNotes webmail interface includes a Sametime chat communication part. This interface suffers from a reflected, DOM-based XSS. As it is available on the same interface as the webmail system, this would allow attackers to execute arbitrary commands on the webmail interface for logged-in users and, for example, gain access to their emails.

The issue can be fixed by updating the Sametime Links server with the fix provided here.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82655 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

*The CVSS Environment Score is customer-environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section (below) of this Flash document.



AFFECTED PLATFORMS


Sametime Links 8.0.2, 8.5, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1 server on any platform.



REMEDIATION


The recommended solution is to apply the fixes that are provided by IBM for the affected Sametime Links server.



FIX

Refer to the following technote for instructions on how to download the relevant fixes:
" Fix available for potential security vulnerability in IBM Sametime Links server"



WORKAROUND

None known; apply fixes.



MITIGATION

None known; apply fixes.



REFERENCES

X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/82655
CVE-2013-0533: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0533



RELATED INFORMATION


Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html
On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2



ACKNOWLEDGEMENT


The vulnerability was reported to IBM by Alexander Klink, n.runs. AG

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Sametime
STLinks/Toolkits

Software version:

8.0.2, 8.5, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1

Operating system(s):

Linux, Mac OS X, Windows

Reference #:

1633620

Modified date:

2013-04-22

Translate my page

Machine Translation

Content navigation