Product
ibm sametime
64 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2025-31966
CVE-2026-21791
CVE-2026-21786
CVE-2023-50355
CVE-2024-30124
CVE-2024-30122
CVE-2023-37540
CVE-2023-45696
CVE-2023-45718
CVE-2023-45716
CVE-2023-50349
CVE-2022-42446
CVE-2021-27773
CVE-2021-27772
CVE-2021-27771
CVE-2021-27770
CVE-2021-27769
CVE-2019-10297
CVE-2012-3331
CVE-2016-2980
CVE-2016-2978
CVE-2016-2976
CVE-2016-2975
CVE-2016-2974
CVE-2016-2967
CVE-2016-2966
CVE-2016-2964
CVE-2016-0358
CVE-2016-2979
CVE-2016-2977
CVE-2016-2973
CVE-2016-2972
CVE-2016-2971
CVE-2016-2969
CVE-2016-2965
CVE-2016-2959
CVE-2016-10503
CVE-2016-0356
CVE-2016-0355
CVE-2016-0354
CVE-2016-2970
CVE-2014-4748
CVE-2014-4747
CVE-2014-3867
CVE-2014-3014
CVE-2014-0906
CVE-2013-3984
CVE-2013-3982
CVE-2013-3981
CVE-2013-3980
CVE-2013-3977
CVE-2013-3975
CVE-2013-3046
CVE-2014-0890
CVE-2013-6743
CVE-2013-6742
CVE-2013-3988
CVE-2013-3983
CVE-2013-3978
CVE-2013-6727
CVE-2013-6733
CVE-2013-0534
CVE-2013-0553
CVE-2012-3308
< 12.0.3
HCL Sametime is vulnerable to broken server-side validation. While the application performs client-side input checks, these are no
< 12.0.22
HCL Sametime for Android is impacted by a sensitive information disclosure. Hostnames information is written in application logs
< 12.0.26
HCL Sametime for iOS is impacted by a sensitive information disclosure. Hostnames information is written in application logs and
< 12.0.2
HCL Sametime is impacted by the error messages containing sensitive information. An attacker can use this information to launch a
< 12.0.2
HCL Sametime is impacted by insecure services in-use on the UIM client by default. An unused legacy REST service was enabled by de
< 12.0.2
HCL Sametime is impacted by misconfigured security related HTTP headers. It was identified that some HTTP headers were missing on
>= 11.5 and < 12.0.2
Sametime Connect desktop chat client includes, but does not use or require, the use of an Eclipse feature called Secure Storage. U
>= 11.5 and < 12.0.2
Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user ent
>= 11.5 and < 12.0.2
Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent mann
< 12.0.2
Sametime is impacted by sensitive information passed in URL.
< 12.0.2
Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can a
all versions
Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to b
all versions
This vulnerability allows users to execute a clickjacking attack in the meeting's chat.
all versions
Users are able to read group conversations without actively taking part in them. Next to one to one conversations, users are able
all versions
User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When intera
all versions
The vulnerability was discovered within the “FaviconService”. The service takes a base64-encoded URL which is then requested b
all versions
Information leakage occurs when a website reveals information that could aid an attacker to further exploit the system. This infor
all versions
Jenkins Sametime Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be vi
all versions
IBM Sametime allows remote attackers to obtain sensitive information from the Sametime Log database via a direct request to STLOG.
all versions
The Sametime WebPlayer 8.5.2 and 9.0 is vulnerable to a script injection where a malicious site can inject their own script by exp
all versions
IBM Sametime 8.5.2 and 9.0 could store potentially sensitive information from the browser cache locally that could be available to
all versions
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a meeting invitee to obtain previously cleared sensitive information by view
all versions
IBM Sametime 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript co
all versions
IBM Sametime Connect 8.5.2 and 9.0, after uninstalling the Sametime Rich Client, could disclose potentially sensitive information
all versions
IBM Sametime 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript co
all versions
IBM Sametime 8.5.1 and 9.0 could allow an authenticated user to enumerate meeting rooms by guessing the meeting room id. IBM X-For
all versions
IBM Sametime 8.5.2 and 9.0 under certain conditions provides an error message to a user that is too detailed and may reveal detail
all versions
IBM Sametime 8.5.2 and 9.0 could allow an unauthorized authenticated user to enumerate group chat ID numbers and join meetings tha
all versions
IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrar
all versions
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a malicious user to lower other users hands in the meeting. IBM X-Force ID:
all versions
IBM Sametime Media Services 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrar
all versions
IBM Sametime Meeting Server 8.5.2 and 9.0 could store credentials of the Sametime Meetings user in the local cache of their browse
all versions
IBM Sametime Media Services 8.5.2 and 9.0 can disclose sensitive information in stack trace error logs that could aid an attacker
all versions
IBM Sametime Meeting Server 8.5.2 and 9.0 may send replies that contain emails of people that should not be in these messages. IBM
all versions
IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site request forgery, caused by improper validation of user-suppl
all versions
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow a meeting room manager to remove the primary managers privileges. IBM X-Forc
all versions
IBM Sametime Meeting Server 8.5.2 and 9.0 could allow an authenticated and invited user of Sametime meeting to lower any or all ha
all versions
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting
all versions
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user that has been invited to a Sametime meeting
all versions
IBM Sametime Enterprise Meeting Server 8.5.2 and 9.0 could allow an authenticated user to upload a malicious file to a Sametime me
all versions
IBM Sametime 8.5 and 9.0 meetings server may provide detailed information in an error message that may provide details about the a
all versions
Cross-site scripting (XSS) vulnerability in the Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows remote attackers
all versions
The Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows physically proximate attackers to discover a meeting passwor
all versions
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not include the HTTPOnly flag in a Set-Cookie
all versions
Cross-site scripting (XSS) vulnerability in the Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows
all versions
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not check whether a session cookie is current,
all versions
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not set the secure flag for an unspecified coo
all versions
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to obtain unspecified insta
all versions
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to download avatar photos o
all versions
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to cause a denial of servic
all versions
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to determine which meeting
all versions
Unspecified vulnerability in the Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attacker
all versions
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 does not send the HSTS Strict-Transport-Security he
all versions
The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1, 9.0, and 9.0.0.1, when a certain com.ibm.collaboration
all versions
Cross-site scripting (XSS) vulnerability in the Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x through 9.0.0.1 allow
all versions
The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x through 9.0.0.1 do not have an off autocomplete attribute for a p
all versions
The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to conduct clickjacking a
all versions
The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x through 9.0.0.1 does not validate URLs in Cookie headers before u
all versions
The Meeting Server in IBM Sametime 8.5.2 through 8.5.2.1 and 9.x through 9.0.0.1 does not send the appropriate HTTP response heade
all versions
The Connect client in IBM Sametime 8.5.2 through 8.5.2.1 and 9.0 before HF1 does not properly restrict unsigned Java plugins, whic
all versions
Cross-site scripting (XSS) vulnerability in the Web Application in the Classic Meeting Server in IBM Sametime 7.5.1.2 through 8.5.
all versions
The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, and 8.5.2.1, as used in the Lotus Notes client and separately,
all versions
The client implementation in IBM Sametime 8.5.1 through 8.5.2.1, as used in Sametime Connect client, Sametime Advanced Connect cli
all versions
Cross-site scripting (XSS) vulnerability in IBM Sametime 8.0.2 through 8.5.2.1 allows remote attackers to inject arbitrary web scr