Matt Farey has reported some vulnerabilities in IBM Lotus Domino Web Access, which can be exploited by malicious people to conduct cross-site scripting attacks.

1) Input passed via the "hSetReturnURL" attribute of the "PresetFields" parameter to the "($Contacts)/$new/?EditDocument" URL of a user's mail NSF file is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

2) Input passed via the "OrigUrl" parameter to the "iNotes/Proxy/?OpenDocument" URL of a user's mail NSF file (when "Form" is set to "s_UnsupportedBrowser") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed via the URL and to the "m_Status" attribute of the "PresetFields" parameter to the "iNotes/Proxy/?OpenDocument" URL of a user's mail NSF file (when "Form" is set to "m_MailView") is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution
Apply Cumulative Hotfix Pack 229.261 for Domino 8.0.2FP3, or update to version 8.5.1.

Provided and/or discovered by
Matt Farey, reported via Secunia.

Changelog
Further details available to Secunia VIM customers

Original Advisory
IBM (LSHR7TBLY5, LSHR7TBM58, LSHR7TBMQU):
http://www-01.ibm.com/support/docview.wss?uid=swg27017776

http://www-01.ibm.com/support/docview.wss?uid=swg21417063

Deep Links
Links available to Secunia VIM customers