Security Bulletin: IBM Lotus Notes URL Command Injection Remote Code Execution Vulnerability (CVE-2012-2174)
Category IBM/Lotus
Security Bulletin: IBM Lotus Notes URL Command Injection Remote Code Execution Vulnerability (CVE-2012-2174)
Flash (Alert)
Abstract
A security vulnerability exists in the IBM Lotus Notes URL handler which permits remote code execution. Malicious URLs could allow remote attackers to execute arbitrary code on installations of Lotus Notes.
Content
VULNERABILITY DETAILS:
CVE ID: CVE-2012-2174
DESCRIPTION: A security vulnerability exists in the IBM Lotus Notes URL handler which permits remote code execution. Malicious URLs could allow remote attackers to execute arbitrary code on installations of Lotus Notes. To exploit this vulnerability, the remote attacker must convince a Notes user running on Windows to click on a malicious URL.
As of 15-Jun-2012, IBM has not received any reports of customer issues related to this security vulnerability.
CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for these issues are:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75320 for the current score.
CVSS Environmental Score: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
AFFECTED PLATFORMS:
Lotus Notes 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3
REMEDIATION:
Fix(es):
This issue is being tracked by Quality Engineering as SPR# SRAO8U3FUU. A fix for the issue will be introduced in the following release:
Lotus Notes 8.5.3 Fix Pack 2 (click here to monitor release status).
Note: An interim fix (hotfix) is available upon request by opening a service request with IBM Support.
Workaround:
None known
Mitigation(s):
None known
Security Bulletin: IBM Lotus Notes URL Command Injection Remote Code Execution Vulnerability (CVE-2012-2174)
Flash (Alert)
Abstract
A security vulnerability exists in the IBM Lotus Notes URL handler which permits remote code execution. Malicious URLs could allow remote attackers to execute arbitrary code on installations of Lotus Notes.
Content
VULNERABILITY DETAILS:
CVE ID: CVE-2012-2174
DESCRIPTION: A security vulnerability exists in the IBM Lotus Notes URL handler which permits remote code execution. Malicious URLs could allow remote attackers to execute arbitrary code on installations of Lotus Notes. To exploit this vulnerability, the remote attacker must convince a Notes user running on Windows to click on a malicious URL.
As of 15-Jun-2012, IBM has not received any reports of customer issues related to this security vulnerability.
CVSS:
Using the Common Vulnerability Scoring System (CVSS) v2, the security ratings for these issues are:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75320 for the current score.
CVSS Environmental Score: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
AFFECTED PLATFORMS:
Lotus Notes 8.0.2, 8.5, 8.5.1, 8.5.2, 8.5.3
REMEDIATION:
Fix(es):
This issue is being tracked by Quality Engineering as SPR# SRAO8U3FUU. A fix for the issue will be introduced in the following release:
Lotus Notes 8.5.3 Fix Pack 2 (click here to monitor release status).
Note: An interim fix (hotfix) is available upon request by opening a service request with IBM Support.
Workaround:
None known
Mitigation(s):
None known
| Permalink |
