Hcl Sametime Chat
by HCL Software
CVEs (7)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-37540 | 0.00 | — | 0.00 | Feb 23, 2024 | Sametime Connect desktop chat client includes, but does not use or require, the use of an Eclipse feature called Secure Storage. Using this Eclipse feature to store sensitive data can lead to exposure of that data. | |||
| CVE-2023-45698 | 0.00 | — | 0.00 | Feb 10, 2024 | Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks. | |||
| CVE-2023-45696 | 0.00 | — | 0.00 | Feb 10, 2024 | Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser. | |||
| CVE-2023-45718 | 0.00 | — | 0.00 | Feb 9, 2024 | Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. | |||
| CVE-2023-45716 | 0.00 | — | 0.00 | Feb 9, 2024 | Sametime is impacted by sensitive information passed in URL. | |||
| CVE-2023-50349 | 0.00 | — | 0.00 | Feb 9, 2024 | Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application. | |||
| CVE-2022-42446 | 0.00 | — | 0.00 | Nov 30, 2022 | Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal users. |
- CVE-2023-37540Feb 23, 2024risk 0.00cvss —epss 0.00
Sametime Connect desktop chat client includes, but does not use or require, the use of an Eclipse feature called Secure Storage. Using this Eclipse feature to store sensitive data can lead to exposure of that data.
- CVE-2023-45698Feb 10, 2024risk 0.00cvss —epss 0.00
Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks.
- CVE-2023-45696Feb 10, 2024risk 0.00cvss —epss 0.00
Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser.
- CVE-2023-45718Feb 9, 2024risk 0.00cvss —epss 0.00
Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session.
- CVE-2023-45716Feb 9, 2024risk 0.00cvss —epss 0.00
Sametime is impacted by sensitive information passed in URL.
- CVE-2023-50349Feb 9, 2024risk 0.00cvss —epss 0.00
Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application.
- CVE-2022-42446Nov 30, 2022risk 0.00cvss —epss 0.00
Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal users.