CVE-2023-45696 is a medium-severity vulnerability affecting multiple versions of HCL Software's HCL Sametime product, specifically versions 11.5 through 12.0.1 FP1. The vulnerability arises from the Legacy web chat client component of Sametime, where sensitive input fields have the HTML autocomplete attribute enabled by default. This configuration causes user-entered sensitive data to be stored locally by the browser's autocomplete feature. While this does not directly expose data over the network or allow unauthorized remote access, it creates a risk that sensitive information such as passwords, tokens, or confidential chat inputs could be retrieved from the browser's stored autocomplete entries by an attacker with local access to the user's device or through malware. The vulnerability is classified under CWE-524, which relates to sensitive data being stored in browser caches or autocomplete fields, leading to potential confidentiality breaches. The CVSS v3.1 score is 4.0, reflecting a medium severity level, with the vector indicating that the attack requires physical or local access (Attack Vector: Physical), high attack complexity, no privileges required, and user interaction is necessary. The impact is primarily on confidentiality, with no direct effect on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is mitigated by disabling autocomplete on sensitive fields or upgrading to a version where this behavior is corrected.

For European organizations using HCL Sametime, especially those relying on the Legacy web chat client, this vulnerability poses a confidentiality risk. Sensitive information entered by users could be inadvertently stored in browser autocomplete caches, increasing the risk of data leakage if devices are shared, lost, or compromised by malware. This is particularly concerning for organizations handling regulated or sensitive data, such as financial institutions, healthcare providers, and government agencies, where unauthorized disclosure could lead to compliance violations under GDPR and other privacy regulations. The risk is heightened in environments where endpoint security is weak or where users have elevated privileges on their devices. However, since exploitation requires local or physical access and user interaction, remote attackers cannot easily leverage this vulnerability to compromise systems. The lack of known exploits reduces immediate risk but does not eliminate the potential for future targeted attacks, especially in high-value environments.

European organizations should take specific steps beyond generic advice: 1) Audit and identify all deployments of HCL Sametime Legacy web chat clients within their environment. 2) Disable the autocomplete attribute on all sensitive input fields in the chat client configuration or through custom client-side scripting to prevent browsers from caching sensitive data. 3) Enforce endpoint security policies that restrict local access to authorized personnel only and implement disk encryption to protect stored browser data. 4) Educate users about the risks of storing sensitive information in browser autocomplete fields and encourage the use of secure password managers instead. 5) Monitor for updates or patches from HCL Software and plan timely upgrades to fixed versions once available. 6) Consider migrating from the Legacy web chat client to newer, more secure communication platforms if feasible. 7) Implement browser security configurations or group policies that limit or disable autocomplete features for enterprise-managed devices. These targeted mitigations will reduce the risk of sensitive data exposure through this vulnerability.