CVE-2021-27785 - OpenCVE

HCL Commerce's Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the website.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Hcltechsw	Hcl Commerce

Configuration 1 [-]

OR	cpe:2.3:a:hcltechsw:hcl_commerce::::::::
	cpe:2.3:a:hcltechsw:hcl_commerce::::::::

References

Link	Resource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0099765	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: HCL

Published: 2022-07-29T00:00:00

Updated: 2022-07-29T23:55:09

Reserved: 2021-02-26T00:00:00

Link: CVE-2021-27785

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-07-30T00:15:08.380

Modified: 2022-08-10T12:20:31.977

Link: CVE-2021-27785

JSON object: View

Redhat Information

No data.

CWE

CWE-522

{"containers": {"cna": {"affected": [{"product": "HCL Commerce", "vendor": "HCL Software", "versions": [{"status": "affected", "version": "9.0.1, 9.1"}]}], "datePublic": "2022-07-29T00:00:00", "descriptions": [{"lang": "en", "value": "HCL Commerce's Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the website."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-07-29T23:55:09", "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0099765"}], "source": {"discovery": "UNKNOWN"}, "title": "HCL Commerce could allow a local attacker to obtain sensitive personal information (CVE-2021-27785)", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@hcl.com", "DATE_PUBLIC": "2022-07-29T12:36:00.000Z", "ID": "CVE-2021-27785", "STATE": "PUBLIC", "TITLE": "HCL Commerce could allow a local attacker to obtain sensitive personal information (CVE-2021-27785)"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HCL Commerce", "version": {"version_data": [{"version_value": "9.0.1, 9.1"}]}}]}, "vendor_name": "HCL Software"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "HCL Commerce's Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the website."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-522 Insufficiently Protected Credentials"}]}]}, "references": {"reference_data": [{"name": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0099765", "refsource": "MISC", "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0099765"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "assignerShortName": "HCL", "cveId": "CVE-2021-27785", "datePublished": "2022-07-29T00:00:00", "dateReserved": "2021-02-26T00:00:00", "dateUpdated": "2022-07-29T23:55:09", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hcltechsw:hcl_commerce:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A43CA4F-98FA-4E42-A41E-606D1B302ED3", "versionEndIncluding": "9.0.1.18", "versionStartIncluding": "9.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltechsw:hcl_commerce:*:*:*:*:*:*:*:*", "matchCriteriaId": "E16A9ED1-2EFD-4CAD-974F-D34AA6BA7EEB", "versionEndIncluding": "9.1.10", "versionStartIncluding": "9.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "HCL Commerce's Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the website."}, {"lang": "es", "value": "El servidor de la tienda remota de HCL Commerce podr\u00eda permitir a un atacante local obtener informaci\u00f3n personal confidencial. La vulnerabilidad requiere que la v\u00edctima lleve a cabo primero una operaci\u00f3n determinada en el sitio web"}], "id": "CVE-2021-27785", "lastModified": "2022-08-10T12:20:31.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "LOW", "baseScore": 3.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 3.4, "source": "psirt@hcl.com", "type": "Secondary"}]}, "published": "2022-07-30T00:15:08.380", "references": [{"source": "psirt@hcl.com", "tags": ["Vendor Advisory"], "url": "https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0099765"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "psirt@hcl.com", "type": "Secondary"}]}