Login Sign Up

CVE-2023-37501

8.1 HIGH
Cross-Site Scripting

📋 TL;DR

A persistent cross-site scripting (XSS) vulnerability in Unica Campaign allows attackers to inject malicious scripts into a specific field. When users view this field, the script executes in their browser, potentially hijacking sessions and performing unauthorized actions. This affects all Unica Campaign users who access the vulnerable interface.

💻 Affected Systems

Products:
  • HCL Unica Campaign
Versions: All versions prior to 12.1.2.1
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the vulnerable field within Unica Campaign.

📦 What is this software?

Unica by Hcltech

View all CVEs affecting Unica →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, data theft, privilege escalation, and lateral movement within the Unica Campaign environment.

🟠

Likely Case

Session hijacking leading to unauthorized campaign modifications, data exfiltration, and credential theft.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy (CSP) headers in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.2.1

Vendor Advisory: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0106556

Restart Required: Yes

Instructions:

1. Download patch from HCL support portal. 2. Backup current installation. 3. Apply patch following vendor instructions. 4. Restart Unica Campaign services. 5. Verify successful update.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement strict input validation on the vulnerable field to reject script tags and malicious content.

Configure input validation rules in Unica Campaign administration interface

Output Encoding

all

Apply proper HTML encoding to all user-controlled data before rendering in the browser.

Modify application code to encode output using HTML entity encoding

🧯 If You Can't Patch

  • Restrict access to the vulnerable interface using network segmentation and strict access controls.
  • Implement Content Security Policy (CSP) headers to prevent script execution from untrusted sources.

🔍 How to Verify

Check if Vulnerable:

Check Unica Campaign version via administration console. If version is below 12.1.2.1, system is vulnerable.

Check Version:

Check version in Unica Campaign administration interface or configuration files.

Verify Fix Applied:

Verify version is 12.1.2.1 or higher in administration console and test the vulnerable field with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual field modifications
  • Script tags in field content
  • Multiple failed login attempts followed by field access

Network Indicators:

  • HTTP requests containing script payloads to vulnerable endpoints
  • Unusual outbound connections after field access

SIEM Query:

source="unica_campaign" AND (message="*<script>*" OR message="*javascript:*")

📊 Metadata

CVE ID: CVE-2023-37501
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-79
Published: August 3, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-37501, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)