Lotus Domino Server Cross-Site Scripting Vulnerability

vendor:

Lotus Domino Server

by:

SecurityFocus

7.5

CVSS

HIGH

Cross-Site Scripting

CWE

Product Name: Lotus Domino Server

Affected Version From: 6.5.2001

Affected Version To: 6.5.2001

Patch Exists: YES

Related CWE: N/A

CPE: a:ibm:lotus_domino_server

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2002

Lotus Domino Server Cross-Site Scripting Vulnerability

It has been reported that Lotus Domino server may be prone to a cross-site scripting vulnerability that may allow a remote attacker to execute HTML or script code in a user's browser. The issue presents itself due to insufficient sanitization of user-supplied data via the 'Quick Console' function of 'webadmin.nsf' administrative interface.

Mitigation:

Input validation should be used to ensure that user-supplied data is properly sanitized.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/9901/info

It has been reported that Lotus Domino server may be prone to a cross-site scripting vulnerability that may allow a remote attacker to execute HTML or script code in a user's browser. The issue presents itself due to insufficient sanitization of user-supplied data via the 'Quick Console' function of 'webadmin.nsf' administrative interface.

IBM Lotus Domino server 6.5.1 has been reported to be prone to this issue, however, it is possible that other versions are affected as well.

1)Go to http://www.example.com/webadmin.nsf
2)Go to "server" tab
3)Go to "Quick console" in the left column
4)Give as "Domino command" <script>alert(document.cookie)</script>