CVE-2023-37495

MEDIUM

HCL Domino 9.0-14.0 - Weak Password Hashing in Person Documents

Title source: llm

Description

Internet passwords stored in Person documents in the Domino® Directory created using the "Add Person" action on the People & Groups tab in the Domino® Administrator are secured using a cryptographically weak hash algorithm. This could enable attackers with access to the hashed value to determine a user's password, e.g. using a brute force attack. This issue does not impact Person documents created through user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html .

References (1)

Core 1

Core References

Vendor Advisory

https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107585

Scores

CVSS v3 5.9

EPSS 0.0025

EPSS Percentile 48.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-306

Status published

Products (1)

hcltech/domino 9.0 - 14.0

Published Feb 29, 2024

Tracked Since Feb 18, 2026