CVE-2008-1216

Name of the Vulnerable Software and Affected Versions IBM Lotus Quickr version 8.0 IBM Lotus QuickPlace versions 7.x

Description The issue allows remote attackers to inject arbitrary web script or HTML via a Calendar OpenDocument action to "main.nsf" with a Count parameter containing a JavaScript event in a malformed element. This can be demonstrated by an onload event in an IFRAME element.

Recommendations For IBM Lotus Quickr version 8.0, update the software to properly identify URIs containing cross-site scripting attack strings. For IBM Lotus QuickPlace versions 7.x, restrict access to the Calendar OpenDocument action until a proper fix is applied. As a temporary workaround, consider disabling the onload event in IFRAME elements to minimize the risk of exploitation.