CVE-2011-1038

Name of the Vulnerable Software and Affected Versions IBM Lotus Sametime version 8.0.1

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the stconf.nsf component of the server. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. This can be achieved via two methods: (1) the messageString parameter in a "WebMessage" action, or (2) the PATH INFO.

Recommendations For IBM Lotus Sametime version 8.0.1, consider restricting access to the stconf.nsf component until a fix is available. As a temporary workaround, avoid using the messageString parameter in WebMessage actions and restrict the PATH INFO to minimize the risk of exploitation.