Abstract
IBM? Lotus iNotes? 8.5.x contains four cross-site scripting vulnerabilities. The fixes for these issues are available in IBM? Lotus Domino? release 8.5.3 Fixpack 5.
Content
IBM iNotes has four cross-site scripting vulnerabilities. Two of the vulnerabilities share the same CVE ID (CVE-2013-0595). These vulnerabilities could allow a remote unauthenticated attacker to expose user personal data.
VULNERABILITY DETAILS: IBM iNotes Cross-site Scripting vulnerabilities
CVE ID: CVE-2013-0590, CVE-2013-0591, CVE-2013-0595
DESCRIPTION: A remote unauthenticated attacker could exploit a security vulnerability in IBM iNotes to expose user personal data.
CVSS:
CVE ID: CVE-2013-0590
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83814 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)
Access Vector: Network Access Complexity: Medium
Authentication: Single Confidentiality Impact: None
Integrity Impact: Partial Availability Impact: None
CVE ID: CVE-2013-0591
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83381 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)
Access Vector: Network Access Complexity: Medium
Authentication: Single Confidentiality Impact: None
Integrity Impact: Partial Availability Impact: None
CVE ID: CVE-2013-0595
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83431 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)
Access Vector: Network Access Complexity: Medium
Authentication: No Confidentiality Impact: None
Integrity Impact: Partial Availability Impact: None
AFFECTED PLATFORMS:
IBM iNotes 8.5.x
REMEDIATION:
Fix:
All three of these issues are being tracked through SPR #PTHN95XNR3. The fix is available in IBM Domino release 8.5.3 Fix Pack 5, which can be accessed here:
http://www-01.ibm.com/support/docview.wss?uid=swg24032242
Workaround:
None
Mitigation(s):
None
REFERENCES:
CVE-2013-0590
CVE-2013-0591
CVE-2013-0595
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database (http://xforce.iss.net/xforce/xfdb/83814,http://xforce.iss.net/xforce/xfdb/83381 and http://xforce.iss.net/xforce/xfdb/83431)
RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
ACKNOWLEDGEMENT:
These vulnerabilities were reported to IBM by Alexander Klink of n.runs AG.