Info

Disclosure

Feb 10, 2006

Discovery

Aug 22, 2005

Dates

Exploit

Feb 10, 2006

Solution

Unknown

Description

Lotus Notes contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the subject of an email upon displaying it to the user. This could allow an attacker to create a specially crafted file name that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 6.5.5, 7.0.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

International Business Machines Corporation	Lotus Notes	6.5.4
		7.0

References

Security Tracker: 1015610
Secunia Advisory ID: 16340
Bugtraq ID: 16577
CVE ID: 2006-0663 (see also: NVD)
Related OSVDB ID: 23077 23079
ISS X-Force ID: 24612
VUPEN Advisory: ADV-2006-0499
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0183.html
Other Advisory URL: http://secunia.com/secunia_research/2005-38/advisory/
Vendor Specific Advisory URL: http://www-1.ibm.com/support/docview.wss?rs=475&uid=swg21229919

Credit

Jakob Balle - jbsecunia.com - Secunia Research

Direct URL: http://osvdb.org/23078

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

International Business Machines Corporation

Lotus Notes

References

Credit