Lotus Sametime Input Validation Hole in Chat Client Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1019224 |
|
SecurityTracker URL: http://securitytracker.com/id/1019224
|
|
CVE Reference:
CVE-2008-0354
(Links to External Site)
|
Updated: Jan 23 2008
|
Original Entry Date: Jan 16 2008
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.5, 7.5.1
|
Description:
A vulnerability was reported in Sametime. A remote user can conduct cross-site scripting attacks.
The Sametime Chat client not properly filter HTML code from user-supplied input before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's client via the mouse-over action. The code will run in the security context of the chat client. As a result, the code will be able to take actions on the client acting as the target user.
Secunia reported this vulnerability.
|
Impact:
A remote user can take actions on the client acting as the target user.
|
Solution:
The vendor has issued a fixed version (8.0).
A patch is available for 7.5.1 Cumulative Fix 1.
An updated version for version 7.5.x is planned.
The IBM advisory is available at:
http://www-1.ibm.com/support/docview.wss?uid=swg21292938
|
Vendor URL: www-1.ibm.com/support/docview.wss?uid=swg21292938 (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 16 Jan 2008 12:21:40 -0500
Subject: Potential Cross-Site Scripting (XSS) vulnerability in IBM Lotus Sametime client
|
http://www-1.ibm.com/support/docview.wss?uid=swg21292938
|
|
