CVE-2023-45718

Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session.

CVSS v3 3.9 LOW

3.9^/10

CVSS v3 : LOW

Vector :

Exploitability : 0.3 / Impact : 3.6

Attack Vector PHYSICAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082	Vendor Advisory
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hcltech:sametime:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-02-09 22:15

Updated : 2024-11-21 08:27

NVD link : CVE-2023-45718

Mitre link : CVE-2023-45718

CVE.ORG link : CVE-2023-45718

JSON object : View

Products Affected

hcltech

sametime

CWE

CWE-384

Session Fixation

{"id": "CVE-2023-45718", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@hcl.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-02-09T22:15:08.167", "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082", "tags": ["Vendor Advisory"], "source": "psirt@hcl.com"}, {"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. \u00a0\n"}, {"lang": "es", "value": "Sametime se ve afectado por un error al invalidar las sesiones. La aplicaci\u00f3n establece valores de cookies confidenciales de forma persistente en los clientes web de Sametime. Cuando esto sucede, los valores de las cookies pueden seguir siendo v\u00e1lidos incluso despu\u00e9s de que un usuario haya cerrado su sesi\u00f3n."}], "lastModified": "2024-11-21T08:27:15.520", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:sametime:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AFB79405-6D48-490D-BBF5-FFC42551C721", "versionEndExcluding": "12.0.2", "versionStartIncluding": "11.5"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@hcl.com"}