Some vulnerabilities and weaknesses have been reported in IBM Lotus Connections, which can be exploited by malicious people to disclose potentially sensitive information and conduct spoofing and cross-site scripting attacks.

1) Some vulnerabilities and weaknesses are caused due to the use of vulnerable Dojo code.

For more information:
SA38964

2) Input related to "create" and "edit" forms in the Community component is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed via the "verbiage" parameter in the Bookmarks component is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

4) A security issue is caused due to the Bookmarklet popup window and "Top Updates" links in the Homepage component using HTTP when "force SSL" is enabled.

5) Input related to the mobile Blogs component is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

6) Input passed via unspecified parameters is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website when e.g. clicking a specially crafted link to an affected script hosted on a trusted domain.

Solution
Update to Lotus Connections 2.5.0 Fix Pack 2 (2.5.0.2).

Provided and/or discovered by
Reported by the vendor.

Changelog
Further details available to Secunia VIM customers

Original Advisory
IBM (LO47214, LO47429, LO47496, LO47501, LO47610, LO47642, LO47669, LO47921, LO48325, ASRE83PPVH, LO47362, ASRE83PPVH):
http://www-01.ibm.com/support/docview.wss?uid=swg21431472

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers