Sametime Security Vulnerabilities
Sametime Connect desktop chat client includes, but does not use or require, the use of an Eclipse feature called Secure Storage. Using this Eclipse feature to store sensitive data can lead to exposure of that...
3.9CVSS
7.2AI Score
0.0004EPSS
Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking...
4.8CVSS
7.3AI Score
0.0004EPSS
Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the...
4CVSS
6.9AI Score
0.0004EPSS
Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their...
3.9CVSS
7.2AI Score
0.0004EPSS
4.1CVSS
7AI Score
0.0004EPSS
Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the...
8.8CVSS
7.5AI Score
0.001EPSS
Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal...
6.5CVSS
6.4AI Score
0.001EPSS
User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containing their session ID (SID). This value is also used when sending chat messages,.....
7.6CVSS
7.4AI Score
0.001EPSS
The vulnerability was discovered within the “FaviconService”. The service takes a base64-encoded URL which is then requested by the webserver. We assume this service is used by the “meetings”-function where users can specify an external URL where the online meeting will take...
8.8CVSS
8.6AI Score
0.002EPSS
This vulnerability allows users to execute a clickjacking attack in the meeting's...
4.3CVSS
4.7AI Score
0.001EPSS
Users are able to read group conversations without actively taking part in them. Next to one to one conversations, users are able to start group conversations with multiple users. It was found possible to obtain the contents of these group conversations without being part of it. This could lead to....
6.5CVSS
6.2AI Score
0.001EPSS
Information leakage occurs when a website reveals information that could aid an attacker to further exploit the system. This information may or may not be sensitive and does not automatically mean a breach is likely to occur. Overall, any information that could be used for an attack should be...
5.3CVSS
5.1AI Score
0.001EPSS
Jenkins Sametime Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file...
8.8CVSS
8.6AI Score
0.003EPSS
IBM Sametime allows remote attackers to obtain sensitive information from the Sametime Log database via a direct request to STLOG.NSF. IBM X-Force ID:...
5.3CVSS
6.3AI Score
0.001EPSS
IBM Sametime 8.5.2 and 9.0 under certain conditions provides an error message to a user that is too detailed and may reveal details about the application. IBM X-Force ID:...
5.3CVSS
6.7AI Score
0.001EPSS
IBM Sametime 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Sametime away message altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...
5.4CVSS
6.3AI Score
0.001EPSS
IBM Sametime 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...
5.4CVSS
6.3AI Score
0.001EPSS
The Sametime WebPlayer 8.5.2 and 9.0 is vulnerable to a script injection where a malicious site can inject their own script by exploiting a vulnerability in the way that the WebPlayer works. IBM X-Force ID:...
6.3CVSS
6.8AI Score
0.002EPSS
IBM Sametime 8.5.2 and 9.0 could store potentially sensitive information from the browser cache locally that could be available to a local user. IBM X-Force ID:...
3.3CVSS
6.1AI Score
0.0004EPSS
IBM Sametime 8.5.2 and 9.0 could allow an unauthorized authenticated user to enumerate group chat ID numbers and join meetings that he was not invited to. IBM X-Force ID:...
4.3CVSS
6.5AI Score
0.001EPSS
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a meeting invitee to obtain previously cleared sensitive information by viewing the meeting report history. IBM X-Force ID:...
4.3CVSS
6.2AI Score
0.001EPSS
IBM Sametime 8.5.1 and 9.0 could allow an authenticated user to enumerate meeting rooms by guessing the meeting room id. IBM X-Force ID:...
4.3CVSS
6.6AI Score
0.001EPSS
IBM Sametime Connect 8.5.2 and 9.0, after uninstalling the Sametime Rich Client, could disclose potentially sensitive information related to the Sametime environment as well as other users on the local machine of the user. IBM X-Force ID:...
3.3CVSS
6.2AI Score
0.001EPSS
IBM Sametime Media Services 8.5.2 and 9.0 can disclose sensitive information in stack trace error logs that could aid an attacker in future attacks. IBM X-Force ID:...
5.3CVSS
6.3AI Score
0.002EPSS
IBM Sametime Media Services 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...
5.4CVSS
6.3AI Score
0.001EPSS
IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID:...
5.4CVSS
6.3AI Score
0.001EPSS
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow an authenticated and invited user of Sametime meeting to lower any or all hands in an e-meeting, thus spoofing results of votes in the meeting. IBM X-Force ID:...
4.3CVSS
6.6AI Score
0.0005EPSS
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a meeting room manager to remove the primary managers privileges. IBM X-Force ID:...
4.3CVSS
6.8AI Score
0.001EPSS
IBM Sametime Meeting Server 8.5.2 and 9.0 may send replies that contain emails of people that should not be in these messages. IBM X-Force ID:...
4.3CVSS
6.8AI Score
0.001EPSS
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID:...
6.5CVSS
6.5AI Score
0.001EPSS
IBM Sametime Meeting Server 8.5.2 and 9.0 could store credentials of the Sametime Meetings user in the local cache of their browser which could be accessed by a local user. IBM X-Force ID:...
7.8CVSS
6.6AI Score
0.0004EPSS
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user to upload a malicious file to a Sametime meeting room, that could be downloaded by unsuspecting users which could be executed with user privileges. IBM X-Force ID:...
5.5CVSS
6.6AI Score
0.002EPSS
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting room, to cause the screen sharing to cease through the use of cross-site request forgery. IBM X-Force ID:...
6.5CVSS
6.5AI Score
0.001EPSS
IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious link, a remote attacker could force the user to log out of Sametime. IBM X-Force ID:...
6.5CVSS
6.8AI Score
0.001EPSS
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a malicious user to lower other users hands in the meeting. IBM X-Force ID:...
4.3CVSS
6.7AI Score
0.001EPSS
IBM Sametime 8.5 and 9.0 meetings server may provide detailed information in an error message that may provide details about the application to possible attackers. IBM X-Force ID:...
4.3CVSS
6.4AI Score
0.001EPSS
The Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows physically proximate attackers to discover a meeting password hash by leveraging access to an unattended workstation to read HTML source code within a victim's...
6.6AI Score
0.001EPSS
Cross-site scripting (XSS) vulnerability in the Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted...
5.6AI Score
0.003EPSS
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not include the HTTPOnly flag in a Set-Cookie header for an unspecified cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, a different...
6.2AI Score
0.003EPSS
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to determine which meeting rooms are owned by a user by leveraging knowledge of valid user...
7.3AI Score
0.006EPSS
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to cause a denial of service (room unusability) by generating a large number of fictitious users to enter a meeting...
7.2AI Score
0.003EPSS
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to obtain unspecified installation information and technical data via a request to a public...
7AI Score
0.004EPSS
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to download avatar photos of arbitrary users via unspecified...
7.4AI Score
0.002EPSS
Cross-site scripting (XSS) vulnerability in the Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted...
5.6AI Score
0.001EPSS
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not send the HSTS Strict-Transport-Security header, which makes it easier for man-in-the-middle attackers to hijack sessions or obtain sensitive information by leveraging the presence of HTTP...
6.5AI Score
0.001EPSS
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not check whether a session cookie is current, which allows remote attackers to conduct user-search actions by leveraging possession of a (1) expired or (2) invalidated...
7.3AI Score
0.002EPSS
Unspecified vulnerability in the Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to discover user names, full names, and e-mail addresses via a...
7.2AI Score
0.004EPSS
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not set the secure flag for an unspecified cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http...
6.6AI Score
0.002EPSS
The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1, 9.0, and 9.0.0.1, when a certain com.ibm.collaboration.realtime.telephony.*.level setting is used, logs cleartext passwords during Audio/Video chat sessions, which allows local users to obtain sensitive information by...
5.7AI Score
0.0004EPSS
The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x through 9.0.0.1 do not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended...
7.3AI Score
0.005EPSS