Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IBM Lotus Domino 8.5.4 / 8.5.3 Cross Site Scripting

🗓️ 28 May 2015 00:00:00Reported by MustLiveType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 36 Views

IBM Domino 8.5.4/8.5.3 Cross-Site Scripting Vulnerabilit

Code
`Hello list!  
  
I want to warn you about Cross-Site Scripting vulnerability in IBM Domino.   
This is one from many vulnerabilities in Domino, which I've found at   
03.05.2012. In previous years I wrote about multiple vulnerabilities in   
Lotus Domino (http://securityvulns.ru/docs29277.html) and Lotus Notes   
Traveler (http://securityvulns.ru/docs30224.html).  
  
During 2012-2013 I informed IBM that have other holes in Domino (as this   
XSS), besides previous holes, but they were not interested.  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are IBM Lotus Domino 8.5.3, 8.5.4 (in which I tested) and   
previous versions. Versions Domino 9.0 and 9.0.1 also must be vulnerable   
(since IBM hasn't fix it earlier).  
  
-------------------------  
Affected vendors:  
-------------------------  
  
IBM Domino (formerly IBM Lotus Domino)  
http://www-03.ibm.com/software/products/us/en/ibmdomino/  
  
----------  
Details:  
----------  
  
Cross-Site Scripting (WASC-08):  
  
http://site/mail/user.nsf/fc9368429d022147c3256c6a005431ff/3c575ad7c19a9ca0c22572b3002d5087/Body/%22;}alert(document.cookie);function%20a(){a=%22  
  
For conducting XSS attack it's needed to know hashes in address of a letter.   
They can be found via information leakage (i.e. embedded image) or via other   
XSS vulnerability.  
  
------------  
Timeline:  
------------   
  
Full timeline read in the first advisory   
(http://securityvulns.ru/docs28474.html).  
  
- During 16.05-20.05.2012 I've wrote announcements about multiple   
vulnerabilities in IBM software at my site.  
- During 16.05-20.05.2012 I've wrote five advisories via contact form at IBM   
site.  
- At 31.05.2012 I've resend five advisories to IBM PSIRT, which they   
received and said they would send them to the developers (of Lotus   
products).  
- At 18.08.2012 I've reminded IBM about multiple holes and gave enough   
arguments to fix them.  
- At 14.04.2013 I've again remind IBM about Brute Force and Insufficient   
Authentication holes.  
- At 23.04.2013 IBM answered that they would not fix Brute Force and   
Insufficient Authentication holes and don't interested in this XSS.  
- During 15.02.2013-26.04.2013 I disclosed at my site about previous   
vulnerabilities IBM Lotus Domino.  
- At 26.05.2015 I've disclosed this vulnerability at my site   
(http://websecurity.com.ua/7783/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 May 2015 00:00Current
7.4High risk
Vulners AI Score7.4
ibm dominocross-site scriptingsoftware securityvulnerabilityinformation leakagexss attacktimelinewebsecurityibm psirtibm developers
36