{ "id": "CVE-2021-27771", "sourceIdentifier": "psirt@hcl.com", "published": "2022-05-12T22:15:11.880", "lastModified": "2022-05-24T18:53:48.537", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containing their session ID (SID). This value is also used when sending chat messages, receiving notifications and/or transferring files." }, { "lang": "es", "value": "El SID del usuario puede ser modificado resultando en una Carga Arbitraria de Archivos o borrado de directorios causando una Denegaci\u00f3n de Servicio. Cuando interact\u00faan de manera normal con la aplicaci\u00f3n de chat de Sametime, los usuarios mantienen una cookie que contiene su ID de sesi\u00f3n (SID). Este valor tambi\u00e9n es usado cuando son enviados mensajes de chat, son recibidas notificaciones y/o son transferidos archivos" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH" }, "exploitabilityScore": 2.8, "impactScore": 4.7 }, { "source": "psirt@hcl.com", "type": "Secondary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH" }, "exploitabilityScore": 2.3, "impactScore": 5.3 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5 }, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-434" } ] }, { "source": "psirt@hcl.com", "type": "Secondary", "description": [ { "lang": "en", "value": "CWE-22" }, { "lang": "en", "value": "CWE-434" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:a:hcltech:sametime:11.6:*:*:*:*:*:*:*", "matchCriteriaId": "0B6E07B1-4DD8-4D9C-8DC1-063FEAD8BA52" } ] } ] } ], "references": [ { "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097430", "source": "psirt@hcl.com", "tags": [ "Vendor Advisory" ] } ] }