Minor Notes/Domino scripting vulnerability reported

A newly discovered vulnerability in Notes and Domino 6 can be exploited to execute arbitrary HTML and script code in a user's browser.

According to security Web sites, a newly discovered vulnerability could leave Lotus Notes and Domino vulnerable to certain attacks, even though the exploit is considered minor.

Both the Secunia and the SecurityFocus Bugtraq Web sites report that a cross-site scripting vulnerability has been found in Notes version 6.x and Domino 6. Other versions may be affected as well.

For more information

Learn about Java applet flaws found in Notes.

Read our exclusive on a pair of recent Notes/Domino flaws.

The vulnerability, according to reports, is caused by an input validation error in native Lotus Notes HTML encoding for computed values, where specially crafted input with square brackets is not properly sanitized before being returned to the user.

As a result, the problem can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.

The vulnerability has been classified as "less critical," and can be avoided by ensuring that inputs containing square brackets are properly sanitized. Additionally, exploitation is reportedly not possible on editable fields.

Dig Deeper on Domino Resources

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.




  • iSeries tutorials

    Search400.com's tutorials provide in-depth information on the iSeries. Our iSeries tutorials address areas you need to know about...

  • V6R1 upgrade planning checklist

    When upgrading to V6R1, make sure your software will be supported, your programs will function and the correct PTFs have been ...

  • Connecting multiple iSeries systems through DDM

    Working with databases over multiple iSeries systems can be simple when remotely connecting logical partitions with distributed ...