CVE-2021-27760
HCL Notes 11.0 - 11.0.1 FP4 Sametime Embedded chat clients are vulnerable to group chats loading script on restart
In short
HCL Notes Sametime chat allows an authenticated user to execute malicious code on other chat clients by sending specially formatted messages containing JavaScript. This could let attackers take control of a victim's chat client.
Technical detail
An authenticated attacker can achieve Remote Code Execution (RCE) in HCL Notes 11.0–11.0.1 FP4 Sametime clients by sending a crafted message with embedded JavaScript through the chat interface; the script executes when the target client loads or restarts the group chat, bypassing input validation (CWE-20).
Summary generated and translated by AI from the official description.
An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
Affected products
HCL Software · HCL NotesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →