CVE-2004-1621 - Vulnerability Details - OpenCVE

NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in IBM Lotus Notes R6 and Domino R6, and possibly earlier versions, allows remote attackers to execute arbitrary web script or HTML via square brackets at the beginning and end of (1) computed for display, (2) computed when composed, or (3) computed text element fields. NOTE: the vendor has disputed this issue, saying that it is not a problem with Notes/Domino itself, but with the applications that do not properly handle this feature

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Lotus Domino

Configuration 1 [-]

OR	cpe:2.3:a:ibm:lotus_domino:6.0:::::::*
	cpe:2.3:a:ibm:lotus_domino:6.0.1:::::::*
	cpe:2.3:a:ibm:lotus_domino:6.0.2:::::::*
	cpe:2.3:a:ibm:lotus_domino:6.0.2_cf2:::::::*
	cpe:2.3:a:ibm:lotus_domino:6.0.3:::::::*
	cpe:2.3:a:ibm:lotus_domino:6.5.0:::::::*
	cpe:2.3:a:ibm:lotus_domino:6.5.1:::::::*
	cpe:2.3:a:ibm:lotus_domino:6.5.2:::::::*

No data.

References

Link	Providers
http://marc.info/?l=bugtraq&m=109812960023736&w=2
http://marc.info/?l=bugtraq&m=109841682529328&w=2
http://secunia.com/advisories/12891
http://securitytracker.com/id?1011779
http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21187833
http://www.kb.cert.org/vuls/id/404382
http://www.securityfocus.com/bid/11458
https://exchange.xforce.ibmcloud.com/vulnerabilities/17758

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2005-02-20T05:00:00

Updated: 2024-08-08T01:00:35.866Z

Reserved: 2005-02-20T00:00:00

Link: CVE-2004-1621

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2004-10-18T04:00:00.000

Modified: 2025-04-03T01:03:51.193

Link: CVE-2004-1621

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2004-10-18T00:00:00", "descriptions": [{"lang": "en", "value": "NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in IBM Lotus Notes R6 and Domino R6, and possibly earlier versions, allows remote attackers to execute arbitrary web script or HTML via square brackets at the beginning and end of (1) computed for display, (2) computed when composed, or (3) computed text element fields. NOTE: the vendor has disputed this issue, saying that it is not a problem with Notes/Domino itself, but with the applications that do not properly handle this feature"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-07-10T14:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "VU#404382", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/404382"}, {"name": "lotus-notes-xss(17758)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17758"}, {"name": "20041021 Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] )", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=109841682529328&w=2"}, {"name": "12891", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/12891"}, {"name": "11458", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/11458"}, {"name": "20041018 IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] )", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://marc.info/?l=bugtraq&m=109812960023736&w=2"}, {"name": "1011779", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://securitytracker.com/id?1011779"}, {"tags": ["x_refsource_MISC"], "url": "http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21187833"}], "tags": ["disputed"], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2004-1621", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in IBM Lotus Notes R6 and Domino R6, and possibly earlier versions, allows remote attackers to execute arbitrary web script or HTML via square brackets at the beginning and end of (1) computed for display, (2) computed when composed, or (3) computed text element fields. NOTE: the vendor has disputed this issue, saying that it is not a problem with Notes/Domino itself, but with the applications that do not properly handle this feature."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "VU#404382", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/404382"}, {"name": "lotus-notes-xss(17758)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17758"}, {"name": "20041021 Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] )", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=109841682529328&w=2"}, {"name": "12891", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/12891"}, {"name": "11458", "refsource": "BID", "url": "http://www.securityfocus.com/bid/11458"}, {"name": "20041018 IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] )", "refsource": "BUGTRAQ", "url": "http://marc.info/?l=bugtraq&m=109812960023736&w=2"}, {"name": "1011779", "refsource": "SECTRACK", "url": "http://securitytracker.com/id?1011779"}, {"name": "http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21187833", "refsource": "MISC", "url": "http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21187833"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-08T01:00:35.866Z"}, "title": "CVE Program Container", "references": [{"name": "VU#404382", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/404382"}, {"name": "lotus-notes-xss(17758)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17758"}, {"name": "20041021 Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] )", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=109841682529328&w=2"}, {"name": "12891", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/12891"}, {"name": "11458", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/11458"}, {"name": "20041018 IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] )", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://marc.info/?l=bugtraq&m=109812960023736&w=2"}, {"name": "1011779", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://securitytracker.com/id?1011779"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21187833"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2004-1621", "datePublished": "2005-02-20T05:00:00", "dateReserved": "2005-02-20T00:00:00", "dateUpdated": "2024-08-08T01:00:35.866Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ibm:lotus_domino:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "A9989FEB-3B5E-40FF-BDBF-CFC835BCF93B", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:lotus_domino:6.0.1:*:*:*:*:*:*:*", "matchCriteriaId": "B4B2AFF7-3921-402A-AE7A-BB9E2E8AA0A5", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:lotus_domino:6.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "C1320064-F0E9-42C8-8E1C-9037684FA693", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:lotus_domino:6.0.2_cf2:*:*:*:*:*:*:*", "matchCriteriaId": "64AB8494-6BC9-43CB-A645-43944B03D10A", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:lotus_domino:6.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "06DBE88F-F765-448E-88AF-3ED9FB98181A", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:lotus_domino:6.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "0766C3F9-D2A2-4A58-9FF7-11B57232DEA0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:lotus_domino:6.5.1:*:*:*:*:*:*:*", "matchCriteriaId": "C00B8057-26DF-4064-A934-0AA88A0C1A6F", "vulnerable": true}, {"criteria": "cpe:2.3:a:ibm:lotus_domino:6.5.2:*:*:*:*:*:*:*", "matchCriteriaId": "8EFA5487-2D61-4E61-98A3-51882A8CE0C4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in IBM Lotus Notes R6 and Domino R6, and possibly earlier versions, allows remote attackers to execute arbitrary web script or HTML via square brackets at the beginning and end of (1) computed for display, (2) computed when composed, or (3) computed text element fields. NOTE: the vendor has disputed this issue, saying that it is not a problem with Notes/Domino itself, but with the applications that do not properly handle this feature"}], "id": "CVE-2004-1621", "lastModified": "2025-04-03T01:03:51.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2004-10-18T04:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=109812960023736&w=2"}, {"source": "cve@mitre.org", "url": "http://marc.info/?l=bugtraq&m=109841682529328&w=2"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://secunia.com/advisories/12891"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://securitytracker.com/id?1011779"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21187833"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/404382"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Vendor Advisory"], "url": "http://www.securityfocus.com/bid/11458"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17758"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://marc.info/?l=bugtraq&m=109812960023736&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://marc.info/?l=bugtraq&m=109841682529328&w=2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "http://secunia.com/advisories/12891"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "http://securitytracker.com/id?1011779"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21187833"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/404382"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "http://www.securityfocus.com/bid/11458"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/17758"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}