CVE-2008-7253 - The default configuration of the web server in IBM Lotus Domino Server, possibly 6.0 through 8.0, en

CVE-2008-7253

Summary

The default configuration of the web server in IBM Lotus Domino Server, possibly 6.0 through 8.0, enables the HTTP TRACE method, which makes it easier for remote attackers to steal cookies and authentication credentials via a cross-site tracing (XST) attack, a related issue to CVE-2004-2763 and CVE-2005-3398.

References

Vulnerable Configurations

cpe:2.3:a:ibm:lotus_domino_server:6.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:lotus_domino_server:6.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:lotus_domino_server:6.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:lotus_domino_server:6.5:*:*:*:*:*:*:*
cpe:2.3:a:ibm:lotus_domino_server:7.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:lotus_domino_server:7.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:lotus_domino_server:8.0:*:*:*:*:*:*:*
cpe:2.3:a:ibm:lotus_domino_server:8.0:*:*:*:*:*:*:*

CVSS

Base:	4.3 (as of 26-01-2010 - 05:00)
Impact:
Exploitability:

CWE

CWE-16

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	MEDIUM	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:M/Au:N/C:P/I:N/A:N

refmap via4

cert-vn	VU#867593
confirm	http://www-01.ibm.com/support/docview.wss?&uid=swg21201202 http://www.kb.cert.org/vuls/id/AAMN-5K42VN http://www.kb.cert.org/vuls/id/AAMN-5K42VT

Last major update

26-01-2010 - 05:00

Published

25-01-2010 - 19:30

Last modified

26-01-2010 - 05:00