IBM Lotus Domino web server Cross-Site Scripting vulnerabilities
Description
IBM Lotus Domino web server versions prior to 8.5.4 contain four cross-site scripting (XSS) vulnerabilities in the HTTP server component. These flaws allow attackers to inject malicious scripts into web pages served by the Domino server, which execute in the context of victim users' browsers. The vulnerabilities stem from improper input validation and output encoding of user-supplied data.
Remediation
Apply one of the following remediation options:
1. Upgrade to Domino 8.5.4 or later (Recommended): Install IBM Lotus Domino version 8.5.4 or higher, which includes fixes for all four XSS vulnerabilities.
2. Apply workaround for Domino 7.0 and later (Temporary): For two of the four vulnerabilities, enable XSS protection by adding the following setting to the server's notes.ini file and restarting the Domino server:
HTTPEnableXSSProtection=1Note: This workaround only addresses two of the four vulnerabilities. Full remediation requires upgrading to version 8.5.4.
3. Implement defense-in-depth measures: Deploy web application firewalls (WAF) with XSS filtering rules, implement Content Security Policy (CSP) headers, and ensure HTTPOnly and Secure flags are set on session cookies to reduce exploitation risk.