IBM Domino Web Server Cross-site Scripting Vulnerability (CVE-2015-1981)

["MustLive" <mustlive () websecurity com ua>]

Hello list!

Earlier I wrote about XSS vulnerability in IBM Domino 
(http://seclists.org/fulldisclosure/2015/May/128). I informed IBM in May 
about it and at 17.06.2015 they fixed it and released security bulletin.

Security Bulletin: IBM Domino Web Server Cross-site Scripting Vulnerability 
(CVE-2015-1981) http://www-01.ibm.com/support/docview.wss?uid=swg21959908.

CVE ID: CVE-2015-1981.

-------------------------
Affected products:
-------------------------

Vulnerable are the next products and versions:

IBM Domino 9.0.1 Fix Pack 3 (plus Interim Fixes) and earlier
IBM Domino 8.5.3 Fix Pack 6 (plus Interim Fixes) and earlier
All 9.0 and 8.5.x releases of IBM Domino prior to those listed above

-------------------------
Remediation/Fixes:
-------------------------

IBM proposed fix for the last version of Domino and workarounds and 
mitigations for previous versions of Domino.

Remediation (workarounds see in the bulletin):

A fix for this issue, tracked as SPR# KLYH9WYPR5, is introduced in IBM 
Domino 9.0.1 Fix Pack 4.

Customers running earlier 9.0.x or 8.5.x streams may either use the 
workaround listed in bulletin or contact IBM Support to inquire about the 
possibility of obtaining a hotfix for your environment.

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/