CVE-2022-38660 HCL XPages applications are susceptible to a Cross Site Request Forgery (CSRF) vulnerability

Note that the following actions are only possible if the user has the ‘Manage applications’ permission. This permission is only granted to administrators by default. The following actions can be performed: - Change the application URL - Change the application homepage - Modify the application settings - Delete application - Add/remove/edit application users - View/change application statistics

Change the application URL

If you have a paid application on the App Store, your app's URL is automatically generated. This means that if you want to change the URL of your app, you will need to submit a new version of the app through iTunes Connect.

Exploit payload creation

In order to use this exploit, the attacker must be able to create a payload in the format of:
/payload=

Timeline

Published on: 11/04/2022 20:15:00 UTC
Last modified on: 11/07/2022 17:18:00 UTC

References

• https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0101037
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38660