Multiple vulnerabilities have been identified in IBM Lotus Connections, which could be exploited by attackers to bypass security restrictions or gain knowledge of sensitive information. These issues are caused by input validation and design errors in the Dojo, Community, Homepage, Bookmarks and Blogs components, and other unspecified modules when processing user-supplied data or when connecting to certain web sites, which could allow information disclosure, or cross site scripting and phishing attacks.

Affected Products

IBM Lotus Connections versions prior to 2.5.0 Fix Pack 2 (2.5.0.2)

Solution

Upgrade to IBM Lotus Connections version 2.5.0 Fix Pack 2 (2.5.0.2) :
http://www-933.ibm.com/eserver/support/fixes/fixcentral/swg/quickorder?fixes=2.5.0.2-LC-Multi-FP000001&productid=Lotus+Connections&brandid=2

References

http://www.vupen.com/english/advisories/2010/1281
http://www-01.ibm.com/support/docview.wss?uid=swg21431472

Credits

Vulnerabilities reported by the vendor.

Changelog

2010-06-01 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.