Severity: 2/4
 Consequences: client access/rights
 Provenance: document
 Means of attack: 1 attack
 Ability of attacker: technician (2/4)
 Confidence: confirmed by the editor (5/5)
 Diffusion of the vulnerable configuration: high (3/3)
 Creation date: 02/03/2010

IMPACTED PRODUCTS

 Lotus Domino

DESCRIPTION OF THE VULNERABILITY

The Domino help is reachable via the following url: http://server/help/readme.nsf/

The HTML "base" element indicates the path which is common to all relative urls of the page. For example: <base target="http://server/common">

When the url contains the "BaseTarget=example" parameter, Domino generates an HTML code containing the indicated target: <base target="example"> ... script ... document._domino_target = "example";

However, the help page does not filter the value of BaseTarget before including it in the HTML code.

An attacker can therefore invite the victim to display a malicious url, in order to execute JavaScript code in the context of the Lotus Domino server.

This bulletin may be a duplicate of VIGILANCE-VUL-5199 (https://vigilance.fr/tree/1/5199), but this is not confirmed.

CHARACTERISTICS

 Identifiers: BID-38481, CYBSEC Advisory#2010-030, CYBSEC Advisory#2010-0301, VIGILANCE-VUL-9486
 Url: http://vigilance.fr/vulnerability/L...