CVE-2023-45718

Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:hcltech:sametime:*:*:*:*:*:*:*:*

History

05 Sep 2024, 13:14

Type	Values Removed	Values Added
References	~~() https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082 -~~	() https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082 - Vendor Advisory
CWE		CWE-384
CVSS	v2 : ~~unknown~~ v3 : ~~3.9~~	v2 : unknown v3 : 7.5
First Time		Hcltech sametime Hcltech
CPE		cpe:2.3:a:hcltech:sametime::::::::

09 Feb 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-09 22:15

Updated : 2024-09-05 13:14

NVD link : CVE-2023-45718

Mitre link : CVE-2023-45718

CVE.ORG link : CVE-2023-45718

JSON object : View

Products Affected

hcltech

sametime

CWE

CWE-384

Session Fixation

{"id": "CVE-2023-45718", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "psirt@hcl.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.9, "attackVector": "PHYSICAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 0.3}]}, "published": "2024-02-09T22:15:08.167", "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0109082", "tags": ["Vendor Advisory"], "source": "psirt@hcl.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-384"}]}], "descriptions": [{"lang": "en", "value": "Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. \u00a0\n"}, {"lang": "es", "value": "Sametime se ve afectado por un error al invalidar las sesiones. La aplicaci\u00f3n establece valores de cookies confidenciales de forma persistente en los clientes web de Sametime. Cuando esto sucede, los valores de las cookies pueden seguir siendo v\u00e1lidos incluso despu\u00e9s de que un usuario haya cerrado su sesi\u00f3n."}], "lastModified": "2024-09-05T13:14:01.253", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:sametime:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AFB79405-6D48-490D-BBF5-FFC42551C721", "versionEndExcluding": "12.0.2", "versionStartIncluding": "11.5"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@hcl.com"}