Because my comments are still awaiting moderation (tried two times hours ago, but no luck), I have decided to answer to this post from Milan in my blog:
„Yes, it is not good that these passwords are reachable from „outside“, but keep in mind that under normal circumstances the access to the names.nsf is restricted by default, because “Anonymous” is set to “No access”. So, the “exposed data” to the web are the informations which would be accessible for all users when using the Notes client.
The exposed data itself are hashed and salted, so even if the password hashes are reachable this does not mean that this is directly a security nightmare – you should not sleep well, but it is enough time to fix this in the next days. I don’t want to play it down, but the CVE is from 2016 and does not contain an exploit to extract the passwords from the hashes.
For more details, Ben has written a very informational post on passwords and hashes: Deep Dive into IBM Domino Security Part 1: Password Hashes
Also, you can use xACL for protecting these sensitiv data. Here is what IBM wrote about this topic: Securing Internet passwords„
You can also create a WebSiteRule (Redirection Rule)
to: whatever database you want (even a non exitisting one)
Then no one can access names.nsf from the internet, even if she is authenticated.
Even iNotes is still working with this way.
If one knows the replica-id of the names.nsf you can open it this way of course ….