The n.runs AG security advisory states:
Notes 8.5.3 does not filter <applet> tags inside HTML emails. This can be used to load arbitrary Java applets from remote sources (making it an information disclosure as well as this can be used to trigger an HTTP request once the mail is previewed/opened).
A remote unauthenticated attack may be able to execute arbitrary code in the context of the user viewing emails within IBM Notes.
Apply an Update
The following directives should be set to zero in notes.ini to reduce the attack surface.
Although not needed to mitigate this vulnerability, if plugins are not needed we recommend the following directive also be set to zero.
Alternatively, in Notes Basic Preferences, deselect the following three preferences:
Thanks to Alexander Klink for reporting this vulnerability.
This document was written by Jared Allar.