You are here

V-229: IBM Lotus iNotes Input Validation Flaws Permit Cross-Site Scripting Attacks

August 28, 2013 - 6:00am

Addthis

PROBLEM:

Several vulnerabilities were reported in IBM Lotus iNotes

PLATFORM:

IBM Lotus iNotes 8.5.x

ABSTRACT:

IBM Lotus iNotes 8.5.x contains four cross-site scripting vulnerabilities

REFERENCE LINKS:

Security Tracker Alert ID 1028954
IBM Security Bulletin 1647740 
Seclist.org 
CVE-2013-0590
CVE-2013-0591
CVE-2013-0595

IMPACT ASSESSMENT:

Medium

DISCUSSION:

The software does not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the IBM Lotus iNotes software and will run in the security context of that site.

IMPACT:

Access control error

SOLUTION:

vendor has issued a fix which is available in IBM Domino release 8.5.3 Fix Pack 5

Addthis