CVE-2023-50349 (GCVE-0-2023-50349)
Vulnerability from cvelistv5 – Published: 2024-02-09 20:15 – Updated: 2025-06-17 20:06
VLAI?
Title
HCL Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability
Summary
Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application.
Severity ?
5.9 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| HCL Software | HCL Sametime |
Affected:
11.5, 11.6, 11.6 IF1, 12.0, 12.0 FP1, 12.0.1, 12.0.1 FP1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:16:46.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0109082"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-50349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-17T20:06:20.314188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-17T20:06:40.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HCL Sametime",
"vendor": "HCL Software",
"versions": [
{
"status": "affected",
"version": "11.5, 11.6, 11.6 IF1, 12.0, 12.0 FP1, 12.0.1, 12.0.1 FP1"
}
]
}
],
"datePublic": "2024-02-09T17:30:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eSametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application. \u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application. \n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-09T20:15:03.715Z",
"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"shortName": "HCL"
},
"references": [
{
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0109082"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "HCL Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
"assignerShortName": "HCL",
"cveId": "CVE-2023-50349",
"datePublished": "2024-02-09T20:15:03.715Z",
"dateReserved": "2023-12-07T03:55:55.605Z",
"dateUpdated": "2025-06-17T20:06:40.334Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:hcltech:sametime:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"12.0.2\", \"matchCriteriaId\": \"FDA15EE5-1675-469C-BF7B-DB9FDE95F338\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application. \\n\"}, {\"lang\": \"es\", \"value\": \"Sametime se ve afectado por una vulnerabilidad de Cross Site Request Forgery (CSRF). Algunas API REST de la aplicaci\\u00f3n Sametime Proxy pueden permitir que un atacante realice acciones maliciosas en la aplicaci\\u00f3n.\"}]",
"id": "CVE-2023-50349",
"lastModified": "2024-11-21T08:36:53.027",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@hcl.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"PHYSICAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 0.7, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
"published": "2024-02-09T21:15:07.840",
"references": "[{\"url\": \"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0109082\", \"source\": \"psirt@hcl.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0109082\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "psirt@hcl.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-50349\",\"sourceIdentifier\":\"psirt@hcl.com\",\"published\":\"2024-02-09T21:15:07.840\",\"lastModified\":\"2025-06-17T20:15:28.383\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application. \\n\"},{\"lang\":\"es\",\"value\":\"Sametime se ve afectado por una vulnerabilidad de Cross Site Request Forgery (CSRF). Algunas API REST de la aplicaci\u00f3n Sametime Proxy pueden permitir que un atacante realice acciones maliciosas en la aplicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@hcl.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"PHYSICAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.7,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:hcltech:sametime:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"12.0.2\",\"matchCriteriaId\":\"FDA15EE5-1675-469C-BF7B-DB9FDE95F338\"}]}]}],\"references\":[{\"url\":\"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0109082\",\"source\":\"psirt@hcl.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0109082\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0109082\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T22:16:46.816Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-50349\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-06-17T20:06:20.314188Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-352\", \"description\": \"CWE-352 Cross-Site Request Forgery (CSRF)\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-17T20:06:35.250Z\"}}], \"cna\": {\"title\": \"HCL Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"PHYSICAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N\"}]}], \"affected\": [{\"vendor\": \"HCL Software\", \"product\": \"HCL Sametime\", \"versions\": [{\"status\": \"affected\", \"version\": \"11.5, 11.6, 11.6 IF1, 12.0, 12.0 FP1, 12.0.1, 12.0.1 FP1\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2024-02-09T17:30:00.000Z\", \"references\": [{\"url\": \"https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0109082\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application. \\n\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eSametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application. \u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"1e47fe04-f25f-42fa-b674-36de2c5e3cfc\", \"shortName\": \"HCL\", \"dateUpdated\": \"2024-02-09T20:15:03.715Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-50349\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-17T20:06:40.334Z\", \"dateReserved\": \"2023-12-07T03:55:55.605Z\", \"assignerOrgId\": \"1e47fe04-f25f-42fa-b674-36de2c5e3cfc\", \"datePublished\": \"2024-02-09T20:15:03.715Z\", \"assignerShortName\": \"HCL\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…