CVE-2008-7253
https://notcve.org/view.php?id=CVE-2008-7253
The default configuration of the web server in IBM Lotus Domino Server, possibly 6.0 through 8.0, enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398. La configuración por defecto del servidor Web en IBM Lotus Domino Server, posiblemente v6.0 hasta v8.0, activa el método HTTP TRACE method, lo que facilita a atacantes remotos a robar las cookies y las credenciales de autenticación a través de un taques de seguimiento de trazas en sitios cruzados (XST), está relacionado con CVE-2004-2763 y CVE-2005-3398. • http://www-01.ibm.com/support/docview.wss?&uid=swg21201202 http://www.kb.cert.org/vuls/id/867593 http://www.kb.cert.org/vuls/id/AAMN-5K42VN http://www.kb.cert.org/vuls/id/AAMN-5K42VT • CWE-16: Configuration •
CVE-2008-2240 – IBM Lotus Domino Web Server - Accept-Language Stack Buffer Overflow
https://notcve.org/view.php?id=CVE-2008-2240
Stack-based buffer overflow in the Web Server service in IBM Lotus Domino before 7.0.3 FP1, and 8.x before 8.0.1, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a long Accept-Language HTTP header. Desbordamiento de búfer basado en pila en el Servicio Web Server en IBM Lotus Domino anterior a 7.0.3 FP1 y 8.x anterior a 8.0.1, permite a atacantes remotos provocar una denegación de servicio (caída de demonio) o la posibilidad de ejecutar código de su elección a través de una cabecera HTTP "Accept-Languaje". • https://www.exploit-db.com/exploits/16697 http://secunia.com/advisories/30310 http://secunia.com/advisories/30332 http://www-1.ibm.com/support/docview.wss?uid=swg21303057 http://www.attrition.org/pipermail/vim/2008-May/001988.html http://www.attrition.org/pipermail/vim/2008-May/001989.html http://www.mwrinfosecurity.com/publications/mwri_ibm-lotus-domino-accept-language-stack-overflow_2008-05-20.pdf http://www.securityfocus.com/bid/29310 http://www.securitytracker.com/id?1020098 h • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2007-4474 – IBM Domino Web Access 7.0 Upload Module - 'inotes6.dll' Remote Buffer Overflow
https://notcve.org/view.php?id=CVE-2007-4474
Multiple stack-based buffer overflows in the IBM Lotus Domino Web Access ActiveX control, as provided by inotes6.dll, inotes6w.dll, dwa7.dll, and dwa7w.dll, in Domino 6.x and 7.x allow remote attackers to execute arbitrary code, as demonstrated by an overflow from a long General_ServerName property value when calling the InstallBrowserHelperDll function in the Upload Module in the dwa7.dwa7.1 control in dwa7w.dll 7.0.34.1. Múltiples desbordamientos de búfer basado en pila en el control ActiveX IBM Lotus Domino Web Access, proporcionado en inotes6.dll, inotes62.dll, dwa7.dll, y dwa7w.dll, en Domino 6.x y 7.x permiten a atacantes remotos ejecutar código de su elección, como se ha demostrado mediante un desbordamiento con un valor largo de la propiedad General_ServerName cuando se llama a la función InstallBrowserHelperDll del módulo Upload en el control dwa7.dwa7.1 de dwa7w.dll 7.0.34.1. • https://www.exploit-db.com/exploits/4818 https://www.exploit-db.com/exploits/4820 https://www.exploit-db.com/exploits/5111 https://www.exploit-db.com/exploits/16502 http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/059233.html http://osvdb.org/40954 http://secunia.com/advisories/28184 http://www.kb.cert.org/vuls/id/963889 http://www.securityfocus.com/bid/26972 http://www.securitytracker.com/id?1019138 http://www.vupen.com/english/advisories/2007 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2007-5924
https://notcve.org/view.php?id=CVE-2007-5924
Cross-site scripting (XSS) vulnerability in the Web Server (HTTP) task in IBM Lotus Domino before 6.5.6 FP2, and 7.x before 7.0.2 FP2, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad de secuencias de comandos en sitios cruzados (XSS) en la tarea del Servidor Web (HTTP) en el IBM Lotus Domino anterior al 6.5.6 FP2 y el 7.x anterior al 7.0.2 FP2, permite a atacantes remotos autenticados la inyección de secuencias de comandos web o HTML de su elección a través de vectores sin especificar. • http://jvn.jp/jp/JVN%2384565055/index.html http://osvdb.org/39720 http://secunia.com/advisories/27509 http://www-1.ibm.com/support/docview.wss?uid=swg21263871 http://www-1.ibm.com/support/docview.wss?uid=swg27010980 http://www.vupen.com/english/advisories/2007/3700 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2007-5544
https://notcve.org/view.php?id=CVE-2007-5544
IBM Lotus Notes before 6.5.6, and 7.x before 7.0.3; and Domino before 6.5.5 FP3, and 7.x before 7.0.2 FP1; uses weak permissions (Everyone:Full Control) for memory mapped files (shared memory) in IPC, which allows local users to obtain sensitive information, or inject Lotus Script or other character sequences into a session. IBM Lotus Notes versiones anteriores 6.5.6, y 7.x versiones anteriores a 7.0.3; y Domino versiones anteriores 6.5.5 FP3, y 7.x versiones anteriores 7.0.2 FP1; utiliza permisos débiles (Control Total:Todos) para ficheros mapeados en memoria (memoria compartida) en IPC, lo cual permite a usuarios locales obtener información confidencial, o inyectar Lotus Script u otras secuencias de caracteres en una sesión. • http://secunia.com/advisories/27321 http://www-1.ibm.com/support/docview.wss?uid=swg21257030 http://www.securityfocus.com/bid/26146 http://www.symantec.com/content/en/us/enterprise/research/SYMSA-2007-013.txt http://www.vupen.com/english/advisories/2007/3598 • CWE-732: Incorrect Permission Assignment for Critical Resource •