|
Lotus Notes Deleted Mail Recipient Security Issue
|
|
Secunia Advisory:
|
SA21096
|
|
|
Release Date:
|
2006-07-17
|
|
Last Update:
|
2006-07-28
|
|
Popularity:
|
8,235 views
|
|
|
Critical:
|
Not critical
|
|
Impact:
|
Exposure of sensitive information
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Workaround
|
|
| Software: | IBM Lotus Notes 6.x
IBM Lotus Notes 7.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2006-3778
|
|
Description:
A security issue has been reported in Lotus Notes, which may expose potentially sensitive information to certain people.
The problem is caused due to an error in the Lotus Notes mail template. Under very specific circumstances, recipients deleted from the "To", "Cc", and "Bcc" fields may still be shown as recipients of a e-mail messages from/to alternate name users. This may result in these people receiving replies, though they never received the original e-mail, if a recipient of the e-mail message replies to all.
This only occurs when the "Default display name" preference is set to "Display alternate names".
Solution:
The vendor has published guidelines for repairing the template (see the vendor's advisory).
Provided and/or discovered by:
Reported by the vendor.
Changelog:
2006-07-28: Added CVE reference.
Original Advisory:
http://www-1.ibm.com/support/docview.wss?rs=899&uid=swg21240386
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
