Vulnerability identifier: #VU45779
Vulnerability risk: Medium
CVSSv3.1: 6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
HCL Notes
Client/Desktop applications /
Office applications
Vendor: HCL Technologies
Description
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to insufficient validation of user-supplied input within the "mailto" URI handler. A remote attacker can trick the victim to click on a specially crafted "mailto" link and attack to the email arbitrary file from the victim's system without any additional warning.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
HCL Notes: 9.0.0 - 11.0.1
External links
http://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080343
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.