Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: Lotus Notes, Cross Site Scripting of the RSS Widget

September 2009 by Vigil@nce

An attacker can execute JavaScript code on computers of victims
using the RSS Widget of Lotus Notes.

 Severity: 2/4
 Consequences: client access/rights
 Provenance: document
 Means of attack: no proof of concept, no attack
 Ability of attacker: expert (4/4)
 Confidence: unique source (2/5)
 Diffusion of the vulnerable configuration: high (3/3)
 Creation date: 08/09/2009

IMPACTED PRODUCTS

 Lotus Notes

DESCRIPTION OF THE VULNERABILITY

The IBM Lotus Notes product contains a Widget to display RSS feeds.

However, this Widget saves theses messages on the local computer,
and then opens Internet Explorer to display them. Scripts
contained in these documents are thus executed in the local zone,
instead of the internet zone, which is more restricted.

An attacker can therefore add a malicious script in messages
published in a RSS feed, in order to execute privileged code on
computers of users of this Widget.

CHARACTERISTICS

 Identifiers: BID-36305, CVE-2009-3114, scip_Advisory 4021,
VIGILANCE-VUL-9007
 Url: http://vigilance.fr/vulnerability/Lotus-Notes-Cross-Site-Scripting-of-the-RSS-Widget-9007


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts