This security advisory is pretty stupid.
The basic "flaw" is in the design of the NAMES.NTF template. When a web user views a Person Document, the hashed version of that persons Internet Password is included in the page source. You need to view the source in order to get the hash, and then you need to reverse the hash (which can be harder if 'more secure internet passwords' have been enabled in the Domino Directory), and then you can login as that person.
Obviously, this hash can be found in the Person document via a Notes client, so this 'flaw' is really only a problem if you're routinely allowing anonymous web users read access to your Domino Directory - and frankly, if you're doing that, then you deserve anything that comes your way.
There is a 'fix' for this which basically involves modifying a subform in the person doc to suppress sending the hashed password, but really, why bother? Sometimes it seems that people struggle to make these flaws sound a lot worse than they actually are..