CVE-2025-31966 PUBLISHED

Boolean-Based SQL Injection in Multiple Unica Components

Assigner: HCL
Reserved: 01.04.2025 Published: 17.03.2026 Updated: 17.03.2026

HCL Sametime is vulnerable to broken server-side validation. While the application performs client-side input checks, these are not enforced by the web server. An attacker can bypass these restrictions by sending manipulated HTTP requests directly to the server.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 2.7

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	High	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	HCL
Product	Sametime
Versions	Default: unaffected Version Version 2.0.2 FP2 and older is affected

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124722

Problem Types

CWE-20 Improper input validation CWE