Rapid7 Vulnerability & Exploit Database

Lotus Notes/Domino Cross Site Scripting

Back to Search

Lotus Notes/Domino Cross Site Scripting

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
07/02/2001
Created
07/25/2018
Added
11/01/2004
Modified
12/04/2013

Description

Lotus Domino R5 Servers are vulnerable to a cross-site scripting vulnerability. A web site may inadvertently include malicious HTML tags or script(JavaScript, VBScript, Java, etc.) in a dynamically generated page based on unvalidated input from untrustworthy sources. This can be a problem when a web server does not adequately ensure that generated pages are properly encoded to prevent unintended execution of scripts, and when input is not validated to prevent malicious HTML from being presented to the user.

By specifying a URL such as:

http://domino-server/home.nsf/<img%20src=javascript:alert(document.domain)>

A popup will appear on the browser.

Solution(s)

  • lotus-domino-upgrade-r5-5_0_9

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;