Arbitrary files disclosure in HCL Notes
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2020-4089 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
HCL Notes Client/Desktop applications / Office applications |
| Vendor | HCL Technologies |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Input validation error
EUVDB-ID: #VU45779
Risk: Medium
CVSSv3.1: 6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-4089
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input within the "mailto" URI handler. A remote attacker can trick the victim to click on a specially crafted "mailto" link and attack to the email arbitrary file from the victim's system without any additional warning.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsHCL Notes: 9.0.0 - 11.0.1
External linkshttp://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080343
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to visit a specially crafted website or open a file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
