IBM Lotus Domino web server Cross-Site Scripting vulnerabilities

Description

A security researcher contacted IBM to report four security vulnerabilities in the IBM Lotus Domino HTTP server that permit cross site scripting. These vulnerabilities could allow remote attackers to steal cookie-based authentication credentials. While fixes for all four are planned for inclusion in Domino 8.5.4, workarounds exist for two in Domino servers 7.0 and later by enabling a single INI setting. As of 15 August 2012, IBM has not received any reports of customer issues related to these security vulnerabilities.

Remediation

Upgrade to Lotus Domino version 8.5.4.

References