CVE-2023-45718 is a vulnerability identified in HCL Software's HCL Sametime product, affecting versions 11.5 through 12.0.1 FP1. The core issue arises from the application's failure to properly invalidate session cookies in Sametime Web clients. Specifically, sensitive cookie values are set in a persistent manner, meaning that these cookies remain valid even after a user has explicitly closed their session. This behavior violates secure session management best practices and corresponds to CWE-613 (Insufficient Session Expiration). The vulnerability allows an attacker with access to a user's device or browser to potentially reuse these persistent cookies to impersonate the user without needing to re-authenticate. The CVSS v3.1 base score is 3.9, indicating a low severity level. The vector string (CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N) shows that the attack requires physical access (AV:P), high attack complexity (AC:H), low privileges (PR:L), and user interaction (UI:R). The impact is primarily on confidentiality, as an attacker could gain unauthorized access to sensitive information by hijacking the session. There is no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches or mitigation links are provided in the source data. The vulnerability is significant in environments where devices are shared or physically accessible by multiple users, increasing the risk of session hijacking through persistent cookies. Organizations using affected versions of HCL Sametime should be aware of this risk and consider compensating controls until official patches are available.

For European organizations, the vulnerability poses a moderate confidentiality risk, especially in sectors where sensitive communications occur over HCL Sametime, such as finance, government, healthcare, and critical infrastructure. Persistent session cookies could allow unauthorized individuals with physical or local access to a user's device to access confidential chat histories, meeting details, or other sensitive collaboration data. This risk is heightened in environments with shared workstations or insufficient endpoint security controls. While the vulnerability does not affect system integrity or availability, the exposure of confidential information could lead to data breaches, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial penalties. The requirement for physical access and user interaction limits remote exploitation, but insider threats or theft/loss of devices could still trigger incidents. Organizations relying heavily on HCL Sametime for internal or external communications should evaluate their session management policies and endpoint security measures to mitigate this risk.

1. Implement strict endpoint security controls to prevent unauthorized physical access to devices running Sametime Web clients, including screen locking, device encryption, and user authentication policies. 2. Educate users to log out explicitly from Sametime sessions rather than relying on closing browser windows or tabs, reducing the chance of persistent cookie reuse. 3. Where possible, configure browser settings or use browser extensions to clear cookies and site data upon session termination or browser closure. 4. Monitor and audit session activities and access logs for unusual patterns that may indicate session hijacking attempts. 5. Deploy network-level controls such as VPNs and zero-trust architectures to limit access to Sametime services only to trusted devices and users. 6. Engage with HCL Software support channels to obtain official patches or updates addressing this vulnerability as they become available. 7. Consider multi-factor authentication (MFA) for Sametime access to add an additional layer of security, mitigating risks from stolen session cookies. 8. Review and update session timeout and cookie expiration policies within Sametime configuration if configurable, to enforce shorter session lifetimes and reduce exposure.