Vendor CVEs
HCL Software
All CVEs
380 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-31972 | 0.00 | — | 0.00 | Aug 28, 2025 | HCL BigFix SM is affected by a Sensitive Information Exposure vulnerability where internal connections do not use TLS encryption which could allow an attacker unauthorized access to sensitive data transmitted between internal components. | |||
| CVE-2025-31988 | 0.00 | — | 0.00 | Aug 19, 2025 | HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access. | |||
| CVE-2025-52618 | 0.00 | — | 0.00 | Aug 15, 2025 | HCL BigFix SaaS Authentication Service is affected by a SQL injection vulnerability. The vulnerability allows potential attackers to manipulate SQL queries. | |||
| CVE-2025-52619 | 0.00 | — | 0.00 | Aug 15, 2025 | HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure. Under certain conditions, error messages disclose sensitive version information about the underlying platform. | |||
| CVE-2025-52620 | 0.00 | — | 0.00 | Aug 15, 2025 | HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. The image upload functionality inadequately validated the submitted image format. | |||
| CVE-2025-52621 | 0.00 | — | 0.00 | Aug 15, 2025 | HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning. The BigFix SaaS's HTTP responses were observed to include the Origin header. Its presence alongside an unvalidated reflection of the Origin header value introduces a potential for cache poisoning. | |||
| CVE-2025-31961 | 0.00 | — | 0.00 | Aug 15, 2025 | HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios. | |||
| CVE-2025-31987 | 0.00 | — | 0.00 | Aug 14, 2025 | HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion. | |||
| CVE-2025-0253 | 0.00 | — | 0.00 | Jul 25, 2025 | HCL IEM is affected by a cookie attribute not set vulnerability due to inconsistency of certain security-related configurations which could increase exposure to potential vulnerabilities. | |||
| CVE-2025-0252 | 0.00 | — | 0.00 | Jul 25, 2025 | HCL IEM is affected by a password in cleartext vulnerability. Sensitive information is transmitted without adequate protection, potentially exposing it to unauthorized access during transit. | |||
| CVE-2025-0251 | 0.00 | — | 0.00 | Jul 25, 2025 | HCL IEM is affected by a concurrent login vulnerability. The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks. | |||
| CVE-2025-0250 | 0.00 | — | 0.00 | Jul 24, 2025 | HCL IEM is affected by an authorization token sent in cookie vulnerability. A token used for authentication and authorization is being handled in a manner that may increase its exposure to security risks. | |||
| CVE-2025-0249 | 0.00 | — | 0.00 | Jul 24, 2025 | HCL IEM is affected by an improper invalidation of access or JWT token vulnerability. A token was not invalidated which may allow attackers to access sensitive data without authorization. | |||
| CVE-2025-31952 | 0.00 | — | 0.00 | Jul 24, 2025 | HCL iAutomate is affected by an insufficient session expiration. This allows tokens to remain valid indefinitely unless manually revoked, increasing the risk of unauthorized access. | |||
| CVE-2025-31955 | 0.00 | — | 0.00 | Jul 24, 2025 | HCL iAutomate is affected by a sensitive data exposure vulnerability. This issue may allow unauthorized access to sensitive information within the system. | |||
| CVE-2025-31953 | 0.00 | — | 0.00 | Jul 24, 2025 | HCL iAutomate includes hardcoded credentials which may result in potential exposure of confidential data if intercepted or accessed by unauthorized parties. | |||
| CVE-2024-42209 | 0.00 | — | 0.00 | Jul 17, 2025 | HCL Connections is vulnerable to an information disclosure vulnerability that could allow a user to obtain sensitive information they are not entitled to, which is caused by improper handling of request data. | |||
| CVE-2024-42191 | 0.00 | — | 0.00 | May 30, 2025 | HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a COM hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content. | |||
| CVE-2024-42190 | 0.00 | — | 0.00 | May 30, 2025 | HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a DLL hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content. | |||
| CVE-2024-42213 | 0.00 | — | 0.00 | May 5, 2025 | HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment. An attacker might gain access to these files by indexing or retrieved via predictable URLs or misconfigured permissions, leading to information disclosure. | |||
| CVE-2024-42212 | 0.00 | — | 0.00 | May 5, 2025 | HCL BigFix Compliance is affected by an improper or missing SameSite attribute. This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user's browser into making unintended requests using authenticated sessions. | |||
| CVE-2024-30146 | 0.00 | — | 0.00 | Apr 30, 2025 | Improper access control of endpoint in HCL Domino Leap allows certain admin users to import applications from the server's filesystem. | |||
| CVE-2024-30145 | 0.00 | — | 0.00 | Apr 30, 2025 | Multiple vectors in HCL Domino Volt and Domino Leap allow client-side script injection in the authoring environment and deployed applications. | |||
| CVE-2024-30115 | 0.00 | — | 0.00 | Apr 30, 2025 | Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget. | |||
| CVE-2023-45721 | 0.00 | — | 0.00 | Apr 30, 2025 | Insufficient default configuration in HCL Leap allows anonymous access to directory information. | |||
| CVE-2023-37535 | 0.00 | — | 0.00 | Apr 30, 2025 | Insufficient URI protocol whitelist in HCL Domino Volt and Domino Leap allow script injection through query parameters. | |||
| CVE-2023-37517 | 0.00 | — | 0.00 | Apr 30, 2025 | Missing "no cache" headers in HCL Leap permits sensitive data to be cached. | |||
| CVE-2022-42450 | 0.00 | — | 0.00 | Apr 30, 2025 | Improper sanitization of SVG files in HCL Domino Volt allows client-side script injection in deployed applications. | |||
| CVE-2022-42449 | 0.00 | — | 0.00 | Apr 30, 2025 | Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications | |||
| CVE-2022-27562 | 0.00 | — | 0.00 | Apr 30, 2025 | Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications. | |||
| CVE-2024-30152 | 0.00 | — | 0.00 | Apr 25, 2025 | HCL SX v21 is affected by usage of a weak cryptographic algorithm. An attacker could exploit this weakness to gain access to sensitive information, modify data, or other impacts. | |||
| CVE-2024-42178 | 0.00 | — | 0.00 | Apr 17, 2025 | HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution. | |||
| CVE-2024-42177 | 0.00 | — | 0.00 | Apr 17, 2025 | HCL MyXalytics is affected by SSL∕TLS Protocol affected with BREACH & LUCKY13 vulnerabilities. Attackers can exploit the weakness in the ciphers to intercept and decrypt encrypted data, steal sensitive information, or inject malicious code into the system. | |||
| CVE-2024-42193 | 0.00 | — | 0.00 | Apr 15, 2025 | HCL BigFix Web Reports' service communicates over HTTPS but exhibits a weakness in its handling of SSL certificate validation. This scenario presents a possibility of man-in-the-middle (MITM) attacks and data exposure as, if exploited, this vulnerability could potentially lead… | |||
| CVE-2024-42189 | 0.00 | — | 0.00 | Apr 15, 2025 | HCL BigFix Web Reports might be subject to a Denial of Service (DoS) attack, due to a potentially weak validation of an API parameter. | |||
| CVE-2024-42200 | 0.00 | — | 0.00 | Apr 15, 2025 | HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input. | |||
| CVE-2024-42208 | 0.00 | — | 0.00 | Apr 4, 2025 | HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data. | |||
| CVE-2025-0272 | 0.00 | — | 0.00 | Apr 3, 2025 | HCL DevOps Deploy / HCL Launch is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure. | |||
| CVE-2025-0257 | 0.00 | — | 0.00 | Apr 2, 2025 | HCL DevOps Deploy / HCL Launch could allow unauthorized access to other services or potential exposure of sensitive data due to missing authentication in its Agent Relay service. | |||
| CVE-2025-0273 | 0.00 | — | 0.00 | Mar 27, 2025 | HCL DevOps Deploy / HCL Launch stores potentially sensitive authentication token information in log files that could be read by a local user. | |||
| CVE-2024-30155 | 0.00 | — | 0.00 | Mar 26, 2025 | HCL SX does not set the secure attribute on authorization tokens or session cookies. Attackers may potentially be able to obtain access to the cookie values via a Cross-Site-Forgery-Request (CSRF). | |||
| CVE-2025-0255 | 0.00 | — | 0.01 | Mar 24, 2025 | HCL DevOps Deploy / HCL Launch could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements. | |||
| CVE-2025-0256 | 0.00 | — | 0.00 | Mar 24, 2025 | HCL DevOps Deploy / HCL Launch could allow an authenticated user to obtain sensitive information about other users on the system due to missing authorization for a function. | |||
| CVE-2024-42176 | 0.00 | — | 0.00 | Mar 19, 2025 | HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user's account or sensitive information. | |||
| CVE-2025-20932 | 0.00 | — | 0.00 | Mar 6, 2025 | Out-of-bounds read in parsing rle of bmp image in Samsung Notes prior to version 4.4.26.71 allows local attackers to혻read out-of-bounds memory. | |||
| CVE-2025-20931 | 0.00 | — | 0.00 | Mar 6, 2025 | Out-of-bounds write in parsing bmp image in Samsung Notes prior to version 4.4.26.71 allows local attackers to execute arbitrary code. | |||
| CVE-2025-20924 | 0.00 | — | 0.00 | Mar 6, 2025 | Improper access control in Samsung Notes prior to version 4.4.26.71 allows physical attackers to access data across multiple user profiles. | |||
| CVE-2025-20922 | 0.00 | — | 0.00 | Mar 6, 2025 | Out-of-bounds read in appending text paragraph in Samsung Notes prior to version 4.4.26.71 allows attackers to read out-of-bounds memory. | |||
| CVE-2024-30154 | 0.00 | — | 0.00 | Mar 3, 2025 | HCL SX is vulnerable to cross-site request forgery vulnerability which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | |||
| CVE-2025-1755 | 0.00 | — | 0.00 | Feb 27, 2025 | MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\node_modules\. This issue affects MongoDB Compass prior to 1.42.1 |
- CVE-2025-31972Aug 28, 2025risk 0.00cvss —epss 0.00
HCL BigFix SM is affected by a Sensitive Information Exposure vulnerability where internal connections do not use TLS encryption which could allow an attacker unauthorized access to sensitive data transmitted between internal components.
- CVE-2025-31988Aug 19, 2025risk 0.00cvss —epss 0.00
HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access.
- CVE-2025-52618Aug 15, 2025risk 0.00cvss —epss 0.00
HCL BigFix SaaS Authentication Service is affected by a SQL injection vulnerability. The vulnerability allows potential attackers to manipulate SQL queries.
- CVE-2025-52619Aug 15, 2025risk 0.00cvss —epss 0.00
HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure. Under certain conditions, error messages disclose sensitive version information about the underlying platform.
- CVE-2025-52620Aug 15, 2025risk 0.00cvss —epss 0.00
HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. The image upload functionality inadequately validated the submitted image format.
- CVE-2025-52621Aug 15, 2025risk 0.00cvss —epss 0.00
HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning. The BigFix SaaS's HTTP responses were observed to include the Origin header. Its presence alongside an unvalidated reflection of the Origin header value introduces a potential for cache poisoning.
- CVE-2025-31961Aug 15, 2025risk 0.00cvss —epss 0.00
HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.
- CVE-2025-31987Aug 14, 2025risk 0.00cvss —epss 0.00
HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion.
- CVE-2025-0253Jul 25, 2025risk 0.00cvss —epss 0.00
HCL IEM is affected by a cookie attribute not set vulnerability due to inconsistency of certain security-related configurations which could increase exposure to potential vulnerabilities.
- CVE-2025-0252Jul 25, 2025risk 0.00cvss —epss 0.00
HCL IEM is affected by a password in cleartext vulnerability. Sensitive information is transmitted without adequate protection, potentially exposing it to unauthorized access during transit.
- CVE-2025-0251Jul 25, 2025risk 0.00cvss —epss 0.00
HCL IEM is affected by a concurrent login vulnerability. The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks.
- CVE-2025-0250Jul 24, 2025risk 0.00cvss —epss 0.00
HCL IEM is affected by an authorization token sent in cookie vulnerability. A token used for authentication and authorization is being handled in a manner that may increase its exposure to security risks.
- CVE-2025-0249Jul 24, 2025risk 0.00cvss —epss 0.00
HCL IEM is affected by an improper invalidation of access or JWT token vulnerability. A token was not invalidated which may allow attackers to access sensitive data without authorization.
- CVE-2025-31952Jul 24, 2025risk 0.00cvss —epss 0.00
HCL iAutomate is affected by an insufficient session expiration. This allows tokens to remain valid indefinitely unless manually revoked, increasing the risk of unauthorized access.
- CVE-2025-31955Jul 24, 2025risk 0.00cvss —epss 0.00
HCL iAutomate is affected by a sensitive data exposure vulnerability. This issue may allow unauthorized access to sensitive information within the system.
- CVE-2025-31953Jul 24, 2025risk 0.00cvss —epss 0.00
HCL iAutomate includes hardcoded credentials which may result in potential exposure of confidential data if intercepted or accessed by unauthorized parties.
- CVE-2024-42209Jul 17, 2025risk 0.00cvss —epss 0.00
HCL Connections is vulnerable to an information disclosure vulnerability that could allow a user to obtain sensitive information they are not entitled to, which is caused by improper handling of request data.
- CVE-2024-42191May 30, 2025risk 0.00cvss —epss 0.00
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a COM hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content.
- CVE-2024-42190May 30, 2025risk 0.00cvss —epss 0.00
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a DLL hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content.
- CVE-2024-42213May 5, 2025risk 0.00cvss —epss 0.00
HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment. An attacker might gain access to these files by indexing or retrieved via predictable URLs or misconfigured permissions, leading to information disclosure.
- CVE-2024-42212May 5, 2025risk 0.00cvss —epss 0.00
HCL BigFix Compliance is affected by an improper or missing SameSite attribute. This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user's browser into making unintended requests using authenticated sessions.
- CVE-2024-30146Apr 30, 2025risk 0.00cvss —epss 0.00
Improper access control of endpoint in HCL Domino Leap allows certain admin users to import applications from the server's filesystem.
- CVE-2024-30145Apr 30, 2025risk 0.00cvss —epss 0.00
Multiple vectors in HCL Domino Volt and Domino Leap allow client-side script injection in the authoring environment and deployed applications.
- CVE-2024-30115Apr 30, 2025risk 0.00cvss —epss 0.00
Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget.
- CVE-2023-45721Apr 30, 2025risk 0.00cvss —epss 0.00
Insufficient default configuration in HCL Leap allows anonymous access to directory information.
- CVE-2023-37535Apr 30, 2025risk 0.00cvss —epss 0.00
Insufficient URI protocol whitelist in HCL Domino Volt and Domino Leap allow script injection through query parameters.
- CVE-2023-37517Apr 30, 2025risk 0.00cvss —epss 0.00
Missing "no cache" headers in HCL Leap permits sensitive data to be cached.
- CVE-2022-42450Apr 30, 2025risk 0.00cvss —epss 0.00
Improper sanitization of SVG files in HCL Domino Volt allows client-side script injection in deployed applications.
- CVE-2022-42449Apr 30, 2025risk 0.00cvss —epss 0.00
Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications
- CVE-2022-27562Apr 30, 2025risk 0.00cvss —epss 0.00
Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications.
- CVE-2024-30152Apr 25, 2025risk 0.00cvss —epss 0.00
HCL SX v21 is affected by usage of a weak cryptographic algorithm. An attacker could exploit this weakness to gain access to sensitive information, modify data, or other impacts.
- CVE-2024-42178Apr 17, 2025risk 0.00cvss —epss 0.00
HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution.
- CVE-2024-42177Apr 17, 2025risk 0.00cvss —epss 0.00
HCL MyXalytics is affected by SSL∕TLS Protocol affected with BREACH & LUCKY13 vulnerabilities. Attackers can exploit the weakness in the ciphers to intercept and decrypt encrypted data, steal sensitive information, or inject malicious code into the system.
- CVE-2024-42193Apr 15, 2025risk 0.00cvss —epss 0.00
HCL BigFix Web Reports' service communicates over HTTPS but exhibits a weakness in its handling of SSL certificate validation. This scenario presents a possibility of man-in-the-middle (MITM) attacks and data exposure as, if exploited, this vulnerability could potentially lead…
- CVE-2024-42189Apr 15, 2025risk 0.00cvss —epss 0.00
HCL BigFix Web Reports might be subject to a Denial of Service (DoS) attack, due to a potentially weak validation of an API parameter.
- CVE-2024-42200Apr 15, 2025risk 0.00cvss —epss 0.00
HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input.
- CVE-2024-42208Apr 4, 2025risk 0.00cvss —epss 0.00
HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data.
- CVE-2025-0272Apr 3, 2025risk 0.00cvss —epss 0.00
HCL DevOps Deploy / HCL Launch is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.
- CVE-2025-0257Apr 2, 2025risk 0.00cvss —epss 0.00
HCL DevOps Deploy / HCL Launch could allow unauthorized access to other services or potential exposure of sensitive data due to missing authentication in its Agent Relay service.
- CVE-2025-0273Mar 27, 2025risk 0.00cvss —epss 0.00
HCL DevOps Deploy / HCL Launch stores potentially sensitive authentication token information in log files that could be read by a local user.
- CVE-2024-30155Mar 26, 2025risk 0.00cvss —epss 0.00
HCL SX does not set the secure attribute on authorization tokens or session cookies. Attackers may potentially be able to obtain access to the cookie values via a Cross-Site-Forgery-Request (CSRF).
- CVE-2025-0255Mar 24, 2025risk 0.00cvss —epss 0.01
HCL DevOps Deploy / HCL Launch could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements.
- CVE-2025-0256Mar 24, 2025risk 0.00cvss —epss 0.00
HCL DevOps Deploy / HCL Launch could allow an authenticated user to obtain sensitive information about other users on the system due to missing authorization for a function.
- CVE-2024-42176Mar 19, 2025risk 0.00cvss —epss 0.00
HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user's account or sensitive information.
- CVE-2025-20932Mar 6, 2025risk 0.00cvss —epss 0.00
Out-of-bounds read in parsing rle of bmp image in Samsung Notes prior to version 4.4.26.71 allows local attackers to혻read out-of-bounds memory.
- CVE-2025-20931Mar 6, 2025risk 0.00cvss —epss 0.00
Out-of-bounds write in parsing bmp image in Samsung Notes prior to version 4.4.26.71 allows local attackers to execute arbitrary code.
- CVE-2025-20924Mar 6, 2025risk 0.00cvss —epss 0.00
Improper access control in Samsung Notes prior to version 4.4.26.71 allows physical attackers to access data across multiple user profiles.
- CVE-2025-20922Mar 6, 2025risk 0.00cvss —epss 0.00
Out-of-bounds read in appending text paragraph in Samsung Notes prior to version 4.4.26.71 allows attackers to read out-of-bounds memory.
- CVE-2024-30154Mar 3, 2025risk 0.00cvss —epss 0.00
HCL SX is vulnerable to cross-site request forgery vulnerability which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
- CVE-2025-1755Feb 27, 2025risk 0.00cvss —epss 0.00
MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\node_modules\. This issue affects MongoDB Compass prior to 1.42.1
Page 3 of 8