VYPR

Vendor CVEs

HCL Software

All CVEs

380 total · sorted by risk
  • CVE-2024-23554May 17, 2024
    risk 0.00cvss epss 0.00

    Cross-Site Request Forgery (CSRF) on Session Token vulnerability that could potentially lead to Remote Code Execution (RCE).

  • CVE-2024-23583May 17, 2024
    risk 0.00cvss epss 0.00

    An attacker could potentially intercept credentials via the task manager and perform unauthorized access to the Client Deploy Tool on Windows systems.

  • CVE-2024-3371Apr 24, 2024
    risk 0.00cvss epss 0.00

    MongoDB Compass may accept and use insufficiently validated input from an untrusted external source. This may cause unintended application behavior, including data disclosure and enabling attackers to impersonate users. This issue affects MongoDB Compass versions 1.35.0 to…

  • CVE-2024-30107Apr 18, 2024
    risk 0.00cvss epss 0.00

    HCL Connections contains a broken access control vulnerability that may expose sensitive information to unauthorized users in certain scenarios.

  • CVE-2024-23557Apr 18, 2024
    risk 0.00cvss epss 0.00

    HCL Connections contains a user enumeration vulnerability. Certain actions could allow an attacker to determine if the user is valid or not, leading to a possible brute force attack.

  • CVE-2024-23558Apr 15, 2024
    risk 0.00cvss epss 0.00

    HCL DevOps Deploy / HCL Launch does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.

  • CVE-2024-23561Apr 15, 2024
    risk 0.00cvss epss 0.00

    HCL DevOps Deploy / HCL Launch is vulnerable to sensitive information disclosure vulnerability due to insufficient obfuscation of sensitive values.

  • CVE-2024-23560Apr 15, 2024
    risk 0.00cvss epss 0.00

    HCL DevOps Deploy / HCL Launch could be vulnerable to incomplete revocation of permissions when deleting a custom security resource type.

  • CVE-2024-23559Apr 15, 2024
    risk 0.00cvss epss 0.00

    HCL DevOps Deploy / Launch is generating an obsolete HTTP header.

  • CVE-2023-50347Apr 10, 2024
    risk 0.00cvss epss 0.01

    HCL DRYiCE MyXalytics is impacted by an insecure SQL interface vulnerability, potentially giving an attacker the ability to execute custom SQL queries. A malicious user can run arbitrary SQL commands including changing system configuration.

  • CVE-2023-45715Mar 28, 2024
    risk 0.00cvss epss 0.00

    The console may experience a service interruption when processing file names with invalid characters.

  • CVE-2023-45706Mar 28, 2024
    risk 0.00cvss epss 0.00

    An administrative user of WebReports may perform a Cross Site Scripting (XSS) and/or Man in the Middle (MITM) exploit through SAML configuration.

  • CVE-2023-45705Mar 28, 2024
    risk 0.00cvss epss 0.00

    An administrative user of WebReports may perform a Server Side Request Forgery (SSRF) exploit through SMTP configuration options.

  • CVE-2023-37540Feb 23, 2024
    risk 0.00cvss epss 0.00

    Sametime Connect desktop chat client includes, but does not use or require, the use of an Eclipse feature called Secure Storage. Using this Eclipse feature to store sensitive data can lead to exposure of that data.

  • CVE-2023-28018Feb 12, 2024
    risk 0.00cvss epss 0.00

    HCL Connections is vulnerable to a denial of service, caused by improper validation on certain requests. Using a specially-crafted request an attacker could exploit this vulnerability to cause denial of service for affected users.

  • CVE-2023-45698Feb 10, 2024
    risk 0.00cvss epss 0.00

    Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks.

  • CVE-2023-45696Feb 10, 2024
    risk 0.00cvss epss 0.00

    Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser.

  • CVE-2023-45718Feb 9, 2024
    risk 0.00cvss epss 0.00

    Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session.  

  • CVE-2023-45716Feb 9, 2024
    risk 0.00cvss epss 0.00

    Sametime is impacted by sensitive information passed in URL.

  • CVE-2023-50349Feb 9, 2024
    risk 0.00cvss epss 0.00

    Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application.

  • CVE-2024-23550Feb 3, 2024
    risk 0.00cvss epss 0.00

    HCL DevOps Deploy / HCL Launch (UCD) could disclose sensitive user information when installing the Windows agent.

  • CVE-2023-37528Feb 3, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save Report.

  • CVE-2024-23553Feb 2, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute.

  • CVE-2023-37531Feb 2, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a form field of a webpage by a user with privileged access.

  • CVE-2023-37530Feb 2, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information.

  • CVE-2023-37529Feb 2, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information. This is not the same vulnerability as identified in…

  • CVE-2023-37527Feb 2, 2024
    risk 0.00cvss epss 0.00

    A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code in the application session or in database, via remote injection, while rendering content in a web page.

  • CVE-2023-37518Jan 30, 2024
    risk 0.00cvss epss 0.00

    HCL BigFix ServiceNow is vulnerable to arbitrary code injection. A malicious authorized attacker could inject arbitrary code and execute within the context of the running user.

  • CVE-2023-37523Jan 16, 2024
    risk 0.00cvss epss 0.00

    Missing or insecure tags in the HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower could allow an attacker to execute a malicious script on the user's browser.

  • CVE-2023-37522Jan 16, 2024
    risk 0.00cvss epss 0.00

    HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower has missing or insecure tags that could allow an attacker to execute a malicious script on the user's browser.

  • CVE-2023-37521Jan 16, 2024
    risk 0.00cvss epss 0.00

    HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower can sometimes include sensitive information in a query string which could allow an attacker to execute a malicious attack.

  • CVE-2023-45722Jan 3, 2024
    risk 0.00cvss epss 0.01

    HCL DRYiCE MyXalytics is impacted by path traversal arbitrary file read vulnerability because it uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory.  The product does not properly…

  • CVE-2023-45724Jan 3, 2024
    risk 0.00cvss epss 0.01

    HCL DRYiCE MyXalytics product is impacted by unauthenticated file upload vulnerability. The web application permits the upload of a certain file without requiring user authentication.

  • CVE-2023-45723Jan 3, 2024
    risk 0.00cvss epss 0.01

    HCL DRYiCE MyXalytics is impacted by path traversal vulnerability which allows file upload capability.  Certain endpoints permit users to manipulate the path (including the file name) where these files are stored on the server.

  • CVE-2023-50341Jan 3, 2024
    risk 0.00cvss epss 0.00

    HCL DRYiCE MyXalytics is impacted by Improper Access Control (Obsolete web pages) vulnerability. Discovery of outdated and accessible web pages, reflects a "Missing Access Control" vulnerability, which could lead to inadvertent exposure of sensitive information and/or exposing a…

  • CVE-2023-50342Jan 3, 2024
    risk 0.00cvss epss 0.00

    HCL DRYiCE MyXalytics is impacted by an Insecure Direct Object Reference (IDOR) vulnerability.  A user can obtain certain details about another user as a result of improper access control.

  • CVE-2023-50343Jan 3, 2024
    risk 0.00cvss epss 0.00

    HCL DRYiCE MyXalytics is impacted by an Improper Access Control (Controller APIs) vulnerability. Certain API endpoints are accessible to Customer Admin Users that can allow access to sensitive information about other users.

  • CVE-2023-50344Jan 3, 2024
    risk 0.00cvss epss 0.00

    HCL DRYiCE MyXalytics is impacted by improper access control (Unauthenticated File Download) vulnerability. An unauthenticated user can download certain files.

  • CVE-2023-50345Jan 3, 2024
    risk 0.00cvss epss 0.00

    HCL DRYiCE MyXalytics is impacted by an Open Redirect vulnerability which could allow an attacker to redirect users to malicious sites, potentially leading to phishing attacks or other security threats.

  • CVE-2023-50346Jan 3, 2024
    risk 0.00cvss epss 0.00

    HCL DRYiCE MyXalytics is impacted by an information disclosure vulnerability. Certain endpoints within the application disclose detailed file information.

  • CVE-2023-50348Jan 3, 2024
    risk 0.00cvss epss 0.00

    HCL DRYiCE MyXalytics is impacted by an improper error handling vulnerability. The application returns detailed error messages that can provide an attacker with insight into the application, system, etc.

  • CVE-2023-50350Jan 3, 2024
    risk 0.00cvss epss 0.00

    HCL DRYiCE MyXalytics is impacted by the use of a broken cryptographic algorithm for encryption, potentially giving an attacker ability to decrypt sensitive information.

  • CVE-2023-50351Jan 3, 2024
    risk 0.00cvss epss 0.00

    HCL DRYiCE MyXalytics is impacted by the use of an insecure key rotation mechanism which can allow an attacker to compromise the confidentiality or integrity of data.

  • CVE-2023-45702Dec 28, 2023
    risk 0.00cvss epss 0.00

    An HCL UrbanCode Deploy Agent installed as a Windows service in a non-standard location could be subject to a denial of service attack by local accounts..

  • CVE-2023-45701Dec 28, 2023
    risk 0.00cvss epss 0.00

    HCL Launch could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

  • CVE-2023-37520Dec 21, 2023
    risk 0.00cvss epss 0.00

    Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9.5.12.68, allowing for potential data exfiltration. This XSS vulnerability is in the Gather Status Report, which is served by the BigFix Relay.

  • CVE-2023-37519Dec 21, 2023
    risk 0.00cvss epss 0.00

    Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. This XSS vulnerability is in the Download Status Report, which is served by the BigFix Server. 

  • CVE-2023-28025Dec 21, 2023
    risk 0.00cvss epss 0.00

    Due to this vulnerability, the Master operator could potentially incorporate an SVG tag into HTML, leading to an alert pop-up displaying a cookie. To mitigate stored XSS vulnerabilities, a preventive measure involves thoroughly sanitizing and validating all user inputs before…

  • CVE-2023-45700Dec 21, 2023
    risk 0.00cvss epss 0.00

    HCL Launch is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.

  • CVE-2023-45703Dec 20, 2023
    risk 0.00cvss epss 0.00

    HCL Launch may mishandle input validation of an uploaded archive file leading to a denial of service due to resource exhaustion.

Page 5 of 8