Title: IBM Lotus Connections Multiple Remote Vulnerabilities
Severity: MODERATE
Description:
IBM Lotus Connections is a web-based application used for sharing information between coworkers, partners, and customers.
The application is prone to multiple vulnerabilities:
1. Multiple cross-site scripting issues occur in the following components:
Homepage
Blogs
Profiles
Dogear
Activities feed and RTE usage from Forum
Global Search
Two other cross-site scripting issues affect the community title and an unspecified API.
2. Multiple SQL-injection issues affect the 'sortField' parameter of unspecified scripts.
3. Multiple information-disclosure issues can help an attacker obtain passwords. One of these issues occurs because the application stores the admin user's password in the 'trace.log' file.
4. Multiple unspecified issues affect the profile pages. These issues are related to Active content.
Exploiting these vulnerabilities could allow an attacker to obtain sensitive information, steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to IBM Lotus Connections 2.0.1 are vulnerable.
Affected Products:
- IBM Lotus Connections 2.0
References:
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
