Lucene search

HCLVULNRICHMENT:CVE-2023-45696

HistoryFeb 10, 2024 - 3:10 a.m.

CVE-2023-45696 HCL Sametime is impacted by an autocomplete enabled vulnerability

2024-02-1003:10:30

HCL

github.com

hcl sametime legacy vulnerability autocomplete

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

37.7%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser.

CNA Affected

[
  {
    "vendor": "HCL Software",
    "product": "HCL Sametime",
    "versions": [
      {
        "status": "affected",
        "version": "11.5, 11.6, 11.6 IF1, 12.0, 12.0 FP1, 12.0.1, 12.0.1 FP1"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

References

support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

6.5

Confidence

Low

EPSS

0.001

Percentile

37.7%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2023-45696