CVE-2021-27771 – HCL Sametime is susceptible a file transfer service vulnerability
https://notcve.org/view.php?id=CVE-2021-27771
User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containing their session ID (SID). This value is also used when sending chat messages, receiving notifications and/or transferring files. El SID del usuario puede ser modificado resultando en una Carga Arbitraria de Archivos o borrado de directorios causando una Denegación de Servicio. Cuando interactúan de manera normal con la aplicación de chat de Sametime, los usuarios mantienen una cookie que contiene su ID de sesión (SID). • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097430 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2021-27770 – HCL Sametime is vulnerable to arbitrary HTTP requests
https://notcve.org/view.php?id=CVE-2021-27770
The vulnerability was discovered within the “FaviconService”. The service takes a base64-encoded URL which is then requested by the webserver. We assume this service is used by the “meetings”-function where users can specify an external URL where the online meeting will take place. Una vulnerabilidad fue detectada dentro de "FaviconService". El servicio toma una URL codificada en base64 que luego es solicitada por el servidor web. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097430 • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVE-2021-27769 – HCL Sametime is vulnerable to an information disclosure
https://notcve.org/view.php?id=CVE-2021-27769
Information leakage occurs when a website reveals information that could aid an attacker to further exploit the system. This information may or may not be sensitive and does not automatically mean a breach is likely to occur. Overall, any information that could be used for an attack should be limited whenever possible. Un filtrado de información es producido cuando un sitio web revela información que podría ayudar a un atacante a seguir explotando el sistema. Esta información puede ser o no confidencial y no significa automáticamente que sea producida una brecha. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097430 • CWE-472: External Control of Assumed-Immutable Web Parameter •
CVE-2021-27755
https://notcve.org/view.php?id=CVE-2021-27755
"Sametime Android potential path traversal vulnerability when using File class" "Una vulnerabilidad potencial de salto de ruta en Sametime Android cuando es usada la clase File" • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0096575 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2021-27753
https://notcve.org/view.php?id=CVE-2021-27753
"Sametime Android PathTraversal Vulnerability" "Una vulnerabilidad de Salto de Ruta de Sametime Android" • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0096575 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •