CVE-2022-38660 - OpenCVE

HCL XPages applications are susceptible to a Cross Site Request Forgery (CSRF) vulnerability. An unauthenticated attacker could exploit this vulnerability to perform actions in the application on behalf of the logged in user.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Hcltech	Domino

Configuration 1 [-]

OR	cpe:2.3:a:hcltech:domino::::::::
	cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_10_interim_fix_3::::::
	cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_10_interim_fix_4::::::
	cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_10_interim_fix_5::::::
	cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_8::::::
	cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_8_interim_fix_1::::::
	cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_8_interim_fix_2::::::
	cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_8_interim_fix_3::::::

No data.

References

Link	Providers
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101037

History

No history.

MITRE

Status: PUBLISHED

Assigner: HCL

Published: 2022-11-04T19:57:02.979Z

Updated: 2024-08-03T11:02:14.565Z

Reserved: 2022-08-22T16:31:27.395Z

Link: CVE-2022-38660

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-11-04T20:15:10.363

Modified: 2023-11-07T03:50:11.143

Link: CVE-2022-38660

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-38660", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "state": "PUBLISHED", "assignerShortName": "HCL", "requesterUserId": "520cc88b-a1c8-44f6-9154-21a4d74c769f", "dateReserved": "2022-08-22T16:31:27.395Z", "datePublished": "2022-11-04T19:57:02.979Z", "dateUpdated": "2024-08-03T11:02:14.565Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "modules": ["XPages"], "product": "HCL Domino", "vendor": "HCL Software", "versions": [{"status": "affected", "version": "v9"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">HCL XPages applications are susceptible to a Cross Site Request Forgery (CSRF) vulnerability. An unauthenticated attacker could exploit this vulnerability to perform actions in the application on behalf of the logged in user.  </span><br>"}], "value": "HCL XPages applications are susceptible to a Cross Site Request Forgery (CSRF) vulnerability. An unauthenticated attacker could exploit this vulnerability to perform actions in the application on behalf of the logged in user. \u00a0\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2022-11-04T19:57:02.979Z"}, "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101037"}], "source": {"discovery": "UNKNOWN"}, "title": "HCL XPages applications are susceptible to Cross Site Request Forgery (CSRF) vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T11:02:14.565Z"}, "title": "CVE Program Container", "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101037", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:domino:*:*:*:*:*:*:*:*", "matchCriteriaId": "EA96995E-99EC-4260-A329-B4137AFBEB6B", "versionEndExcluding": "9.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_10_interim_fix_3:*:*:*:*:*:*", "matchCriteriaId": "2D00AC8D-4E35-49F4-B0EE-C03E1EE67B8E", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_10_interim_fix_4:*:*:*:*:*:*", "matchCriteriaId": "0FBD1792-01BA-402A-859E-531F7614C9A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_10_interim_fix_5:*:*:*:*:*:*", "matchCriteriaId": "DB652BE0-5767-4D42-A618-1315243A5C52", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_8:*:*:*:*:*:*", "matchCriteriaId": "F3D799A2-AC87-43E8-A6A2-E76E1535A7C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_8_interim_fix_1:*:*:*:*:*:*", "matchCriteriaId": "9C9A93C4-70E8-472D-A038-14F72780E02F", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_8_interim_fix_2:*:*:*:*:*:*", "matchCriteriaId": "442C02A0-0232-488A-8A66-62386FFBC807", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:domino:9.0.1:feature_pack_8_interim_fix_3:*:*:*:*:*:*", "matchCriteriaId": "A349B3BD-CB3D-4290-BE9E-8FFA68C3512B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL XPages applications are susceptible to a Cross Site Request Forgery (CSRF) vulnerability. An unauthenticated attacker could exploit this vulnerability to perform actions in the application on behalf of the logged in user. \u00a0\n"}, {"lang": "es", "value": "Las aplicaciones HCL XPages son susceptibles a una vulnerabilidad de Cross-Site Request Forgery (CSRF). Un atacante no autenticado podr\u00eda aprovechar esta vulnerabilidad para realizar acciones en la aplicaci\u00f3n en nombre del usuario que inici\u00f3 sesi\u00f3n."}], "id": "CVE-2022-38660", "lastModified": "2023-11-07T03:50:11.143", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.5, "source": "psirt@hcl.com", "type": "Secondary"}]}, "published": "2022-11-04T20:15:10.363", "references": [{"source": "psirt@hcl.com", "tags": ["Vendor Advisory"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101037"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-352"}], "source": "psirt@hcl.com", "type": "Secondary"}]}