IBM Domino ZMerge Database Security Bypass

High Nessus Plugin ID 86322


A remote database can be accessed without credentials.


The version of IBM Domino (formerly IBM Lotus Domino) running on the remote host is affected by a security bypass vulnerability due to insufficient access control list (ACL) settings on the administration databases for ZMerge. An unauthenticated, remote attacker can exploit this issue to disclose configuration information about the IBM Domino server installation or possibly to gain manager level access.


Verify all of the ACLs for the available databases.

See Also

Plugin Details

Severity: High

ID: 86322

File Name: domino_db_no_password.nasl

Version: $Revision: 1.6 $

Type: remote

Family: Web Servers

Published: 2015/10/09

Modified: 2017/08/14

Dependencies: 10107

Risk Information

Risk Factor: High


Base Score: 7.5

Temporal Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:ND/RC:C


Base Score: 7.3

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:X/RL:X/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:lotus_domino

Required KB Items: www/domino

Exploit Available: false

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2002/09/06

Reference Information

CVE: CVE-2002-0664

BID: 5101

OSVDB: 11911