CVE-2011-1520

Current Description

The default configuration of the server console in IBM Lotus Domino does not require a password (aka Server_Console_Password), which allows physically proximate attackers to perform administrative changes or obtain sensitive information via a (1) Load, (2) Tell, or (3) Set Configuration command.

Basic Data

PublishedMarch 25, 2011
Last ModifiedOctober 09, 2018
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-287
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorLOCAL
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score7.2
SeverityHIGH
Exploitability Score3.9
Impact Score10.0
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationIbmLotus Domino********

Vulnerable Software List

VendorProductVersions
Ibm Lotus Domino *

References

NameSourceURLTags
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.doc/DOC/H_THE_DOMINO_CONTROLLER_AND_CONSOLE_OVER.htmlhttp://publib.boulder.ibm.com/infocenter/domhelp/v8r0/index.jsp?topic=/com.ibm.help.domino.admin.docMISC
8164http://securityreason.com/securityalert/8164SREASON
http://www.lotus.com/ldd/doc/domino_notes/rnext/help6_admin.nsf/2e73cbb2141acefa85256b8700688cea/0c50e423038555d085256c1d003a31f0?OpenDocumenthttp://www.lotus.com/ldd/doc/domino_notes/rnext/help6_admin.nsf/2e73cbb2141acefa85256b8700688cea/0c5MISC
http://www.lotus.com/ldd/dominowiki.nsf/dx/server_console_passwordhttp://www.lotus.com/ldd/dominowiki.nsf/dx/server_console_passwordCONFIRM
20110322 ZDI-11-110: (0day) IBM Lotus Domino Server Controller Authentication Bypass Remote Code Execution Vulnerabilityhttp://www.securityfocus.com/archive/1/517119/100/0/threadedBUGTRAQ
http://www.zerodayinitiative.com/advisories/ZDI-11-110http://www.zerodayinitiative.com/advisories/ZDI-11-110MISC