IBM Lotus Domino cross-site scripting
|lotus-domino-css (6789)||High Risk|
Lotus Domino Server could allow a remote attacker to execute arbitrary code on the Web server. A remote attacker can embed specially-crafted text into a URL, which would generate an error on the Web server but would not execute arbitrary code on the system until a client opens a Web browser.
Upgrade to the latest version of Lotus Notes/Domino (5.0.9 or later), when it becomes available from the Notes.net Web site. See References.
As a workaround, customize error pages.
- BugTraq Mailing List, Mon Jul 02 2001 - 06:38:06 CDT: Lotus Domino Server Cross-Site Scripting Vulnerability.
- BugTraq Mailing List, Mon Jul 02 2001 - 13:40:14 CDT: Re: Lotus Domino Server Cross-Site Scripting Vulnerability.
- CERT Advisory CA-2000-02: Malicious HTML Tags Embedded in Client Web Requests.
- Notes.net Web site: Welcome to the Notes/Domino Fix List Database.
- BID-2962: Lotus Domino Server Cross Site Scripting Vulnerability
- OSVDB ID: 1887: IBM Lotus Domino Server NSF Handling URI XSS
- US-CERT VU#642239: Lotus Domino Server R5 vulnerable to Cross-Site Scripting via passing of user input directly to default error page
- IBM Lotus Domino R5 5.0.6
Jul 02, 2001