Overview
Lotus iNotes contains a buffer overflow that could permit a remote attacker to execute arbitrary code or cause a denial of service on a vulnerable server.
Description
Lotus iNotes Web Access is a web-based database application that provides "access to corporate messaging services and personal information through a Web browser." NGSSoftware has researched and reported a buffer overflow vulnerability in iNotes that can be triggered via a specially crafted s_ViewName value of the PresetFields parameter. For further information, see NGSSoftware Insight Security Research Advisory #NISR17022003b. Lotus is tracking this issue as SPR# KSPR5HUPEK. Further information is available in IBM Technote 1104542. |
Impact
A remote attacker could execute arbitrary code with the privileges of the Domino server process or cause a denial of service. |
Solution
Upgrade |
|
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://www.lotus.com/products/inotes.nsf
- http://www.lotus.com/products/inotes.nsf/allpublic/53380DDF183DC9A38525697C006E652E?opendocument
- http://www.nextgenss.com/advisories/lotus-inotesoflow.txt
- http://www-1.ibm.com/support/docview.wss?uid=swg21104542
- http://www-1.ibm.com/support/docview.wss?uid=swg27003694
- http://www-10.lotus.com/ldd/r5fixlist.nsf/a8f0ffda1fc76c8985256752006aba6c/fcd56eb247bf688085256cca0070f90c?OpenDocument
Acknowledgements
This vulnerability was reported by Mark Litchfield of NGSSoftware.
This document was written by Art Manion.
Other Information
| CVE IDs: | None |
| CERT Advisory: | CA-2003-11 |
| Severity Metric: | 18.51 |
| Date Public: | 2003-02-17 |
| Date First Published: | 2003-02-19 |
| Date Last Updated: | 2003-03-26 17:44 UTC |
| Document Revision: | 27 |