You are here

V-147: IBM Lotus Notes Mail Client Lets Remote Users Execute Java Applets

May 2, 2013 - 6:00am

Addthis

PROBLEM:

A vulnerability was reported in IBM Lotus Notes

PLATFORM:

IBM Notes 8.0.x, 8.5.x, 9.0

ABSTRACT:

A remote user can cause Java applets to be executed on the target user's system

REFERENCE LINKS:

Security Tracker Alert ID 1028504
IBM Security Bulletin 1633819
CVE-2013-0127
CVE-2013-0538

IMPACT ASSESSMENT:

Medium

DISCUSSION:

The mail client does not filter 'applet' and 'javascript' tags in HTML-based email messages. A remote user can send a specially crafted email message that, when loaded by the target user, will execute arbitrary Java code on the target system. The code will run with the privileges of the target user.

IMPACT:

A remote user can send an email that, when loaded by the target user, will execute arbitrary Java code on the target user's system

SOLUTION:

The fix will be included in Interim Fix 1 for 8.5.3 Fix Pack 4 and Interim Fix 1 for 9.0

Vendor has also advised a possible work around until release

Addthis