Vigil@nce: Lotus Notes, Cross Site Scripting via names.nsf
March 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use the names.nsf page of Lotus Notes, in order to
generate a Cross Site Scripting in the web browser of visitors.
– Severity: 2/4
– Creation date: 23/03/2010
DESCRIPTION OF THE VULNERABILITY
The "/names.nsf" page is the personal contact database of Lotus
Notes.
However, parameters received by this page are directly written in
the HTML document. An attacker can therefore use a malicious
parameter, in order to execute JavaScript code in the context of
the Lotus Notes web site.
An attacker can therefore use the names.nsf page of Lotus Notes,
in order to generate a Cross Site Scripting in the web browser of
visitors.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Lotus-Notes-Cross-Site-Scripting-via-names-nsf-9528