You are here

V-047: IBM Lotus Foundation Multiple Cross Site Scripting

December 14, 2012 - 12:30am

Addthis

 PROBLEM: 

 IBM Lotus Foundation Mu ltiple Cross Site Scripting 

PLATFORM:

Systems running Lotus Foundations 1.2.2b or earlier:
Lotus Foundations Start 1.2

ABSTRACT:

Two vulnerabilities have been reported in IBM Lotus Foundations

REFERENCE LINKS:

IBM Security Bulletin:  Reference #1620319
IBM Security Bulletin:  Reference #1620314
Secunia Advisory SA51572
CVE-2012-1823
CVE-2012-4848

IMPACT ASSESSMENT:

Medium

DISCUSSION:

1) Input passed via the "Users" page in Webconfig is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

2) An error exists within the bundled version of PHP.

IMPACT:

Two vulnerabilities have been reported in IBM Lotus Foundations Start, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to disclose certain sensitive information or compromise a vulnerable system.

SOLUTION:

Update to version 1.2.2c.

Addthis