Login Sign Up

CVE-2023-37496

8.3 HIGH
Cross-Site Scripting

📋 TL;DR

HCL Verse contains a stored cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages. When victims view these compromised pages, the scripts execute in their browsers, potentially enabling attackers to perform actions as the victim or steal sensitive information like session tokens. This affects all users of vulnerable HCL Verse installations.

💻 Affected Systems

Products:
  • HCL Verse
Versions: Versions prior to 3.0.0.6
Operating Systems: All platforms running HCL Verse
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with vulnerable versions are affected regardless of configuration.

📦 What is this software?

Verse by Hcltech

View all CVEs affecting Verse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, and unauthorized actions performed as authenticated users, potentially leading to organizational data breaches.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions within the victim's HCL Verse account.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Stored XSS vulnerabilities are commonly exploited and require authenticated access to inject payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.0.6 and later

Vendor Advisory: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105904

Restart Required: Yes

Instructions:

1. Download HCL Verse version 3.0.0.6 or later from HCL support portal. 2. Backup current installation. 3. Apply the update following HCL's upgrade documentation. 4. Restart the HCL Verse services.

🔧 Temporary Workarounds

Implement Content Security Policy

all

Add CSP headers to restrict script execution sources

Add 'Content-Security-Policy' header with appropriate directives to web server configuration

Input Validation Filtering

all

Implement server-side input validation to sanitize user inputs

Implement input validation in application code to filter script tags and JavaScript events

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block XSS payloads
  • Disable user input fields that accept HTML/JavaScript content

🔍 How to Verify

Check if Vulnerable:

Check HCL Verse version via administrative interface or configuration files. If version is below 3.0.0.6, system is vulnerable.

Check Version:

Check HCL Verse version in administrative console or configuration files (location varies by deployment)

Verify Fix Applied:

Verify version is 3.0.0.6 or higher and test input fields for XSS payload acceptance.

📡 Detection & Monitoring

Log Indicators:

  • Unusual script tags or JavaScript in user inputs
  • Multiple failed XSS attempts in web logs

Network Indicators:

  • Suspicious JavaScript payloads in HTTP requests
  • Unexpected external script loads

SIEM Query:

web_logs WHERE (request_uri CONTAINS "<script>" OR request_body CONTAINS "javascript:") AND status_code = 200

📊 Metadata

CVE ID: CVE-2023-37496
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
CWE: CWE-79
Published: August 1, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37496, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)