CVE-2023-28017

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user after visiting the vulnerable URL which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials and comprise a user's account then launch other attacks.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108264	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:hcltech:connections:6.0:::::::*
	cpe:2.3:a:hcltech:connections:6.5:::::::*
	cpe:2.3:a:hcltech:connections:7.0:::::::*
	cpe:2.3:a:hcltech:connections:8.0:::::::*

History

12 Dec 2023, 15:51

Type	Values Removed	Values Added
CWE		CWE-79
CPE		cpe:2.3:a:hcltech:connections:6.5:::::::* cpe:2.3:a:hcltech:connections:7.0:::::::* cpe:2.3:a:hcltech:connections:8.0:::::::* cpe:2.3:a:hcltech:connections:6.0:::::::*
References	~~() https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108264 -~~	() https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108264 - Patch, Vendor Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4

07 Dec 2023, 05:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-07 05:15

Updated : 2024-02-05 00:22

NVD link : CVE-2023-28017

Mitre link : CVE-2023-28017

CVE.ORG link : CVE-2023-28017

JSON object : View

Products Affected

hcltech

connections

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2023-28017", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}, {"type": "Secondary", "source": "psirt@hcl.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2023-12-07T05:15:07.970", "references": [{"url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0108264", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@hcl.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user after visiting the vulnerable URL which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials and comprise a user's account then launch other attacks.\n"}, {"lang": "es", "value": "HCL Connections es vulnerable a un ataque de Cross-Site-Scripting en el que un atacante puede aprovechar este problema para ejecutar c\u00f3digo de script arbitrario en el navegador de un usuario desprevenido despu\u00e9s de visitar la URL vulnerable que conduce a la ejecuci\u00f3n de c\u00f3digo de script malicioso. Esto puede permitir al atacante robar credenciales de autenticaci\u00f3n basadas en cookies y capturar la cuenta de un usuario y luego lanzar otros ataques."}], "lastModified": "2023-12-12T15:51:51.903", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:connections:6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "217197F0-089E-463E-904D-BDB31F929FE2"}, {"criteria": "cpe:2.3:a:hcltech:connections:6.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D9D30E64-F094-4692-A882-CAAA3AFE8C1B"}, {"criteria": "cpe:2.3:a:hcltech:connections:7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FD4BF4C3-3D45-41A8-886F-521E095CBBF2"}, {"criteria": "cpe:2.3:a:hcltech:connections:8.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D55E0F2F-7C8D-4334-8B8D-CCF88431F6DF"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@hcl.com"}