CVE-2019-4409

5.4MEDIUM

Key Information:

Vendor: HCL Software
Status: Hcl Traveler
Vendor: CVE Published:; 18 October 2019

Summary

HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entered file name. If the file name is not escaped in the returned error page, it could expose a cross-site scripting (XSS) vulnerability.

Affected Version(s)

HCL Traveler 9.x and earlier versions

References

https://hclpnpsupport.hcltech.com/csm?id=kb_article&syspa...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 18, 2019
Vulnerability Reserved
Jan 3, 2019