Lotus Notes contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate HTML attachments of emails upon displaying them to the user. In addition, Lotus Notes fails to properly sanitise the attachment's file name before displaying it to the user. Both these issues could allow an attacker to create a specially crafted HTML file or a specially crafted file name that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Upgrade to version 6.5.5, 7.0.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1015610
• Secunia Advisory ID: 16340
• Bugtraq ID: 16577
• CVE ID: 2006-0662 (see also: NVD) 2006-0663 (see also: NVD)
• SCIP VulDB ID: 2037
• Related OSVDB ID: 23078 23079
• ISS X-Force ID: 24611
• VUPEN Advisory: ADV-2006-0499
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0183.html
• Other Advisory URL: http://secunia.com/secunia_research/2005-38/advisory/
• Vendor Specific Advisory URL: http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229919

• Jakob Balle - jbsecunia.com - Secunia Research
• Tan Chew Keong - vulnsecunia.com - Secunia Research