CVE-2024-30145 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting HCL Software's HCL Domino Leap product, specifically versions 1.0 through 1.0.5 and 1.1 through 1.1.4. The vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject client-side scripts into both the authoring environment and deployed applications. This means that malicious actors can craft input that is not properly sanitized or encoded, leading to execution of arbitrary JavaScript in the context of the affected web application. The vulnerability does not require authentication (PR:N) but does require user interaction (UI:R), such as a user clicking a malicious link or visiting a crafted page. The attack vector is network-based (AV:N), indicating that exploitation can occur remotely over the internet or intranet. The scope is unchanged (S:U), meaning the vulnerability affects resources within the same security scope. The impact is primarily on confidentiality (C:H), with no direct impact on integrity (I:N) or availability (A:N). This suggests that an attacker could potentially steal sensitive information accessible to the victim's browser session, such as session tokens or personal data, but cannot modify or disrupt the application or its data. No known exploits are currently reported in the wild, and no official patches have been linked yet. Given the nature of the vulnerability, it affects both the development (authoring) environment and the runtime deployed applications, increasing the risk of exploitation during both application creation and use phases. The vulnerability is rated with a CVSS 3.1 score of 6.5, categorized as medium severity.

For European organizations using HCL Domino Leap, this vulnerability poses a significant risk to the confidentiality of sensitive data processed or displayed by affected applications. Since HCL Domino Leap is used for rapid application development and deployment, organizations relying on it for internal business processes, customer portals, or data management could face data leakage through session hijacking or theft of sensitive information via injected scripts. The fact that the vulnerability affects both the authoring environment and deployed applications increases the attack surface, potentially allowing attackers to compromise development workflows or end-user sessions. This could lead to unauthorized access to confidential business data, intellectual property, or personal data protected under GDPR, resulting in regulatory penalties and reputational damage. The requirement for user interaction means phishing or social engineering could be used to trigger exploitation, which is a common attack vector in targeted campaigns. The lack of impact on integrity and availability reduces the risk of data manipulation or service disruption but does not eliminate the threat to data confidentiality and privacy. Organizations in sectors with high compliance requirements, such as finance, healthcare, and government, may be particularly concerned about this vulnerability due to the sensitivity of the data handled.

1. Implement strict input validation and output encoding in all custom applications developed with HCL Domino Leap to prevent injection of malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts within the application context. 3. Educate users and developers about the risks of XSS and the importance of avoiding clicking on suspicious links or opening untrusted content related to the affected applications. 4. Monitor network traffic and application logs for unusual activity indicative of attempted XSS exploitation, such as unexpected script payloads or anomalous user behavior. 5. Isolate the authoring environment from public networks and restrict access to trusted personnel only, minimizing exposure to remote attackers. 6. Apply any available vendor patches or updates as soon as they are released by HCL Software. 7. Use web application firewalls (WAFs) with rules tailored to detect and block XSS attack patterns targeting HCL Domino Leap applications. 8. Conduct regular security assessments and code reviews focusing on input handling and output encoding in applications built with Domino Leap. 9. Implement multi-factor authentication (MFA) for access to the authoring environment to reduce the risk of unauthorized access that could facilitate exploitation. 10. Develop incident response plans specifically addressing XSS incidents to quickly contain and remediate any exploitation attempts.