Vigil@nce: Lotus Notes, Cross Site Scripting of the RSS Widget
September 2009 by Vigil@nce
An attacker can execute JavaScript code on computers of victims
using the RSS Widget of Lotus Notes.
– Severity: 2/4
– Consequences: client access/rights
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: unique source (2/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 08/09/2009
IMPACTED PRODUCTS
– Lotus Notes
DESCRIPTION OF THE VULNERABILITY
The IBM Lotus Notes product contains a Widget to display RSS feeds.
However, this Widget saves theses messages on the local computer,
and then opens Internet Explorer to display them. Scripts
contained in these documents are thus executed in the local zone,
instead of the internet zone, which is more restricted.
An attacker can therefore add a malicious script in messages
published in a RSS feed, in order to execute privileged code on
computers of users of this Widget.
CHARACTERISTICS
– Identifiers: BID-36305, CVE-2009-3114, scip_Advisory 4021,
VIGILANCE-VUL-9007
– Url: http://vigilance.fr/vulnerability/Lotus-Notes-Cross-Site-Scripting-of-the-RSS-Widget-9007