CVE-2007-4309

Name of the Vulnerable Software and Affected Versions IBM Lotus Notes versions 5.x through 7.0.2

Description The issue allows user-assisted remote authenticated administrators to obtain a cleartext notes.id password. This is achieved by setting the notes.ini KFM ShowEntropy and Debug Outfile debug variables.

Recommendations For IBM Lotus Notes versions 5.x through 7.0.2, consider restricting access to the notes.ini file to prevent unauthorized setting of the KFM ShowEntropy and Debug Outfile variables until a fix is available. As a temporary workaround, limit the use of debug variables to minimize the risk of exploitation.