CVE-2021-27760 - OpenCVE

An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:S/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hcltech	Hcl Inotes

Configuration 1 [-]

OR	cpe:2.3:a:hcltech:hcl_inotes:11.0.0:::::::*
	cpe:2.3:a:hcltech:hcl_inotes:11.0.1:-::::::
	cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack1::::::
	cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack2::::::
	cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack3::::::
	cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack4::::::

No data.

References

Link	Providers
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097670

History

No history.

MITRE

Status: PUBLISHED

Assigner: HCL

Published: 2022-05-06T18:10:30.931261Z

Updated: 2024-09-17T04:19:12.658Z

Reserved: 2021-02-26T00:00:00

Link: CVE-2021-27760

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-05-06T18:15:08.713

Modified: 2022-07-29T13:56:51.333

Link: CVE-2021-27760

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "HCL Notes", "vendor": "HCL Software", "versions": [{"status": "affected", "version": "11.0 - 11.0.1 FP4"}]}], "datePublic": "2022-04-11T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-06T18:10:30", "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097670"}], "source": {"discovery": "UNKNOWN"}, "title": "HCL Notes 11.0 - 11.0.1 FP4 Sametime Embedded chat clients are vulnerable to group chats loading script on restart", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@hcl.com", "DATE_PUBLIC": "2022-04-11T00:00:00.000Z", "ID": "CVE-2021-27760", "STATE": "PUBLIC", "TITLE": "HCL Notes 11.0 - 11.0.1 FP4 Sametime Embedded chat clients are vulnerable to group chats loading script on restart"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HCL Notes", "version": {"version_data": [{"version_value": "11.0 - 11.0.1 FP4"}]}}]}, "vendor_name": "HCL Software"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-20 Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097670", "refsource": "MISC", "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097670"}]}, "source": {"discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T21:26:10.704Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097670"}]}]}, "cveMetadata": {"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "assignerShortName": "HCL", "cveId": "CVE-2021-27760", "datePublished": "2022-05-06T18:10:30.931261Z", "dateReserved": "2021-02-26T00:00:00", "dateUpdated": "2024-09-17T04:19:12.658Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:hcl_inotes:11.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "63B76DD1-79D7-4320-A1E8-7B5BF5345B3E", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:hcl_inotes:11.0.1:-:*:*:*:*:*:*", "matchCriteriaId": "2433DEDD-8650-4B01-85B9-92F5D1446030", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack1:*:*:*:*:*:*", "matchCriteriaId": "582BCD88-43F2-4E10-B638-4C1D54ED71F8", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack2:*:*:*:*:*:*", "matchCriteriaId": "DF9D5E06-963D-46D1-B780-5FA7F3B29A94", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack3:*:*:*:*:*:*", "matchCriteriaId": "35AECE5B-35F0-4DF4-A7E8-BE66A0D1E271", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack4:*:*:*:*:*:*", "matchCriteriaId": "E2845122-0A3C-4BDD-95A3-341A18E33040", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code."}, {"lang": "es", "value": "Se ha detectado un problema en la funcionalidad de chat de Sametime en los clientes Notes 11.0 - 11.0.1 FP4. Un usuario autenticado del chat de Sametime podr\u00eda causar una Ejecuci\u00f3n de C\u00f3digo Remota en otro cliente de chat mediante el env\u00edo de un mensaje con formato especial mediante el chat que contenga c\u00f3digo Javascript"}], "id": "CVE-2021-27760", "lastModified": "2022-07-29T13:56:51.333", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "psirt@hcl.com", "type": "Secondary"}]}, "published": "2022-05-06T18:15:08.713", "references": [{"source": "psirt@hcl.com", "tags": ["Third Party Advisory"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097670"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "psirt@hcl.com", "type": "Secondary"}]}