Info

Disclosure

Feb 10, 2006

Discovery

Aug 22, 2005

Dates

Exploit

Unknown

Solution

Unknown

Description

Lotus Notes contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate HTML attachments of emails upon displaying them to the user. In addition, Lotus Notes fails to properly sanitise the attachment's file name before displaying it to the user. Both these issues could allow an attacker to create a specially crafted HTML file or a specially crafted file name that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 6.5.5, 7.0.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

International Business Machines Corporation	Lotus Notes	6.5.4
		7.0

References

Security Tracker: 1015610
Secunia Advisory ID: 16340
Bugtraq ID: 16577
CVE ID: 2006-0662 (see also: NVD) 2006-0663 (see also: NVD)
SCIP VulDB ID: 2037
Related OSVDB ID: 23078 23079
ISS X-Force ID: 24611
VUPEN Advisory: ADV-2006-0499
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0183.html
Other Advisory URL: http://secunia.com/secunia_research/2005-38/advisory/
Vendor Specific Advisory URL: http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229919

Credit

Jakob Balle - jbsecunia.com - Secunia Research
Tan Chew Keong - vulnsecunia.com - Secunia Research

Direct URL: http://osvdb.org/23077

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

International Business Machines Corporation

Lotus Notes

References

Credit