VYPR

Vendor CVEs

HCL Software

All CVEs

380 total · sorted by risk
  • CVE-2025-31972Aug 28, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix SM is affected by a Sensitive Information Exposure vulnerability where internal connections do not use TLS encryption which could allow an attacker unauthorized access to sensitive data transmitted between internal components.

  • CVE-2025-31988Aug 19, 2025
    risk 0.00cvss epss 0.00

    HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access.

  • CVE-2025-52618Aug 15, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix SaaS Authentication Service is affected by a SQL injection vulnerability. The vulnerability allows potential attackers to manipulate SQL queries.

  • CVE-2025-52619Aug 15, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure. Under certain conditions, error messages disclose sensitive version information about the underlying platform.

  • CVE-2025-52620Aug 15, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. The image upload functionality inadequately validated the submitted image format.

  • CVE-2025-52621Aug 15, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning.  The BigFix SaaS's HTTP responses were observed to include the Origin header. Its presence alongside an unvalidated reflection of the Origin header value introduces a potential for cache poisoning.

  • CVE-2025-31961Aug 15, 2025
    risk 0.00cvss epss 0.00

    HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.

  • CVE-2025-31987Aug 14, 2025
    risk 0.00cvss epss 0.00

    HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion.

  • CVE-2025-0253Jul 25, 2025
    risk 0.00cvss epss 0.00

    HCL IEM is affected by a cookie attribute not set vulnerability due to inconsistency of certain security-related configurations which could increase exposure to potential vulnerabilities.

  • CVE-2025-0252Jul 25, 2025
    risk 0.00cvss epss 0.00

    HCL IEM is affected by a password in cleartext vulnerability.  Sensitive information is transmitted without adequate protection, potentially exposing it to unauthorized access during transit.

  • CVE-2025-0251Jul 25, 2025
    risk 0.00cvss epss 0.00

    HCL IEM is affected by a concurrent login vulnerability.  The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks.

  • CVE-2025-0250Jul 24, 2025
    risk 0.00cvss epss 0.00

    HCL IEM is affected by an authorization token sent in cookie vulnerability.  A token used for authentication and authorization is being handled in a manner that may increase its exposure to security risks.

  • CVE-2025-0249Jul 24, 2025
    risk 0.00cvss epss 0.00

    HCL IEM is affected by an improper invalidation of access or JWT token vulnerability.  A token was not invalidated which may allow attackers to access sensitive data without authorization.

  • CVE-2025-31952Jul 24, 2025
    risk 0.00cvss epss 0.00

    HCL iAutomate is affected by an insufficient session expiration. This allows tokens to remain valid indefinitely unless manually revoked, increasing the risk of unauthorized access.

  • CVE-2025-31955Jul 24, 2025
    risk 0.00cvss epss 0.00

    HCL iAutomate is affected by a sensitive data exposure vulnerability. This issue may allow unauthorized access to sensitive information within the system.

  • CVE-2025-31953Jul 24, 2025
    risk 0.00cvss epss 0.00

    HCL iAutomate includes hardcoded credentials which may result in potential exposure of confidential data if intercepted or accessed by unauthorized parties.

  • CVE-2024-42209Jul 17, 2025
    risk 0.00cvss epss 0.00

    HCL Connections is vulnerable to an information disclosure vulnerability that could allow a user to obtain sensitive information they are not entitled to, which is caused by improper handling of request data.

  • CVE-2024-42191May 30, 2025
    risk 0.00cvss epss 0.00

    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a COM hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content.

  • CVE-2024-42190May 30, 2025
    risk 0.00cvss epss 0.00

    HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a DLL hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content.

  • CVE-2024-42213May 5, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment. An attacker might gain access to these files by indexing or retrieved via predictable URLs or misconfigured permissions, leading to information disclosure.

  • CVE-2024-42212May 5, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix Compliance is affected by an improper or missing SameSite attribute. This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user's browser into making unintended requests using authenticated sessions.

  • CVE-2024-30146Apr 30, 2025
    risk 0.00cvss epss 0.00

    Improper access control of endpoint in HCL Domino Leap allows certain admin users to import applications from the server's filesystem.

  • CVE-2024-30145Apr 30, 2025
    risk 0.00cvss epss 0.00

    Multiple vectors in HCL Domino Volt and Domino Leap allow client-side script injection in the authoring environment and deployed applications.

  • CVE-2024-30115Apr 30, 2025
    risk 0.00cvss epss 0.00

    Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget.

  • CVE-2023-45721Apr 30, 2025
    risk 0.00cvss epss 0.00

    Insufficient default configuration in HCL Leap allows anonymous access to directory information.

  • CVE-2023-37535Apr 30, 2025
    risk 0.00cvss epss 0.00

    Insufficient URI protocol whitelist in HCL Domino Volt and Domino Leap allow script injection through query parameters.

  • CVE-2023-37517Apr 30, 2025
    risk 0.00cvss epss 0.00

    Missing "no cache" headers in HCL Leap permits sensitive data to be cached.

  • CVE-2022-42450Apr 30, 2025
    risk 0.00cvss epss 0.00

    Improper sanitization of SVG files in HCL Domino Volt allows client-side script injection in deployed applications.

  • CVE-2022-42449Apr 30, 2025
    risk 0.00cvss epss 0.00

    Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications

  • CVE-2022-27562Apr 30, 2025
    risk 0.00cvss epss 0.00

    Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications.

  • CVE-2024-30152Apr 25, 2025
    risk 0.00cvss epss 0.00

    HCL SX v21 is affected by usage of a weak cryptographic algorithm. An attacker could exploit this weakness to gain access to sensitive information, modify data, or other impacts.

  • CVE-2024-42178Apr 17, 2025
    risk 0.00cvss epss 0.00

    HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution.

  • CVE-2024-42177Apr 17, 2025
    risk 0.00cvss epss 0.00

    HCL MyXalytics is affected by SSL∕TLS Protocol affected with BREACH & LUCKY13 vulnerabilities. Attackers can exploit the weakness in the ciphers to intercept and decrypt encrypted data, steal sensitive information, or inject malicious code into the system.

  • CVE-2024-42193Apr 15, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix Web Reports' service communicates over HTTPS but exhibits a weakness in its handling of SSL certificate validation. This scenario presents a possibility of man-in-the-middle (MITM) attacks and data exposure as, if exploited, this vulnerability could potentially lead…

  • CVE-2024-42189Apr 15, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix Web Reports might be subject to a Denial of Service (DoS) attack, due to a potentially weak validation of an API parameter.

  • CVE-2024-42200Apr 15, 2025
    risk 0.00cvss epss 0.00

    HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input.

  • CVE-2024-42208Apr 4, 2025
    risk 0.00cvss epss 0.00

    HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data.

  • CVE-2025-0272Apr 3, 2025
    risk 0.00cvss epss 0.00

    HCL DevOps Deploy / HCL Launch is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.

  • CVE-2025-0257Apr 2, 2025
    risk 0.00cvss epss 0.00

    HCL DevOps Deploy / HCL Launch could allow unauthorized access to other services or potential exposure of sensitive data due to missing authentication in its Agent Relay service.

  • CVE-2025-0273Mar 27, 2025
    risk 0.00cvss epss 0.00

    HCL DevOps Deploy / HCL Launch stores potentially sensitive authentication token information in log files that could be read by a local user.

  • CVE-2024-30155Mar 26, 2025
    risk 0.00cvss epss 0.00

    HCL SX does not set the secure attribute on authorization tokens or session cookies. Attackers may potentially be able to obtain access to the cookie values via a Cross-Site-Forgery-Request (CSRF).

  • CVE-2025-0255Mar 24, 2025
    risk 0.00cvss epss 0.01

    HCL DevOps Deploy / HCL Launch could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements.

  • CVE-2025-0256Mar 24, 2025
    risk 0.00cvss epss 0.00

    HCL DevOps Deploy / HCL Launch could allow an authenticated user to obtain sensitive information about other users on the system due to missing authorization for a function.

  • CVE-2024-42176Mar 19, 2025
    risk 0.00cvss epss 0.00

    HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user's account or sensitive information.

  • CVE-2025-20932Mar 6, 2025
    risk 0.00cvss epss 0.00

    Out-of-bounds read in parsing rle of bmp image in Samsung Notes prior to version 4.4.26.71 allows local attackers to혻read out-of-bounds memory.

  • CVE-2025-20931Mar 6, 2025
    risk 0.00cvss epss 0.00

    Out-of-bounds write in parsing bmp image in Samsung Notes prior to version 4.4.26.71 allows local attackers to execute arbitrary code.

  • CVE-2025-20924Mar 6, 2025
    risk 0.00cvss epss 0.00

    Improper access control in Samsung Notes prior to version 4.4.26.71 allows physical attackers to access data across multiple user profiles.

  • CVE-2025-20922Mar 6, 2025
    risk 0.00cvss epss 0.00

    Out-of-bounds read in appending text paragraph in Samsung Notes prior to version 4.4.26.71 allows attackers to read out-of-bounds memory.

  • CVE-2024-30154Mar 3, 2025
    risk 0.00cvss epss 0.00

    HCL SX is vulnerable to cross-site request forgery vulnerability which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

  • CVE-2025-1755Feb 27, 2025
    risk 0.00cvss epss 0.00

    MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\node_modules\. This issue affects MongoDB Compass prior to 1.42.1

Page 3 of 8