VYPR

Vendor CVEs

HCL Software

All CVEs

380 total · sorted by risk
  • CVE-2023-42012Dec 19, 2023
    risk 0.00cvss epss 0.00

    An IBM UrbanCode Deploy Agent 7.2 through 7.2.3.7, and 7.3 through 7.3.2.2 installed as a Windows service in a non-standard location could be subject to a denial of service attack by local accounts. IBM X-Force ID: 265509.

  • CVE-2023-28022Dec 15, 2023
    risk 0.00cvss epss 0.01

    HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data.

  • CVE-2023-28017Dec 7, 2023
    risk 0.00cvss epss 0.00

    HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user after visiting the vulnerable URL which leads to executing malicious script code. This may let the…

  • CVE-2023-37533Nov 8, 2023
    risk 0.00cvss epss 0.00

    HCL Connections is vulnerable to reflected cross-site scripting (XSS) where an attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user after visiting the vulnerable URL which contains the malicious script code. This may allow…

  • CVE-2023-37503Oct 19, 2023
    risk 0.00cvss epss 0.00

    HCL Compass is vulnerable to insecure password requirements. An attacker could easily guess the password and gain access to user accounts.

  • CVE-2023-37504Oct 19, 2023
    risk 0.00cvss epss 0.00

    HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called.  If the session identifier can be discovered, it could be replayed to the application and used to impersonate the…

  • CVE-2023-37502Oct 18, 2023
    risk 0.00cvss epss 0.00

    HCL Compass is vulnerable to lack of file upload security.  An attacker could upload files containing active code that can be executed by the server or by a user's web browser.

  • CVE-2023-37537Oct 17, 2023
    risk 0.00cvss epss 0.00

    An unquoted service path vulnerability in HCL AppScan Presence, deployed as a Windows service in HCL AppScan on Cloud (ASoC), may allow a local attacker to gain elevated privileges.

  • CVE-2023-37538Oct 11, 2023
    risk 0.00cvss epss 0.00

    HCL Digital Experience is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web site).

  • CVE-2023-37536Oct 11, 2023
    risk 0.00cvss epss 0.01

    An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request.

  • CVE-2022-44757Oct 11, 2023
    risk 0.00cvss epss 0.00

    BigFix Insights for Vulnerability Remediation (IVR) uses weak cryptography that can lead to credential exposure. An attacker could gain access to sensitive information, modify data in unexpected ways, etc.

  • CVE-2022-44758Oct 11, 2023
    risk 0.00cvss epss 0.00

    BigFix Insights/IVR fixlet uses improper credential handling within certain fixlet content. An attacker can gain access to information that is not explicitly authorized.

  • CVE-2023-39955Aug 10, 2023
    risk 0.00cvss epss 0.00

    Notes is a note-taking app for Nextcloud, an open-source cloud platform. Starting in version 4.4.0 and prior to version 4.8.0, when creating a note file with HTML, the content is rendered in the preview instead of the file being offered to download. Nextcloud Notes app version…

  • CVE-2023-23347Aug 9, 2023
    risk 0.00cvss epss 0.00

    HCL DRYiCE iAutomate is affected by the use of a broken cryptographic algorithm. An attacker can potentially compromise the confidentiality and integrity of sensitive information.

  • CVE-2023-23346Aug 9, 2023
    risk 0.00cvss epss 0.00

    HCL DRYiCE MyCloud is affected by the use of a broken cryptographic algorithm. An attacker can potentially compromise the confidentiality and integrity of sensitive information.

  • CVE-2023-37500Aug 3, 2023
    risk 0.00cvss epss 0.00

    A Persistent Cross-site Scripting (XSS) vulnerability can be carried out on certain pages of Unica Platform.  An attacker could hijack a user's session and perform other attacks.

  • CVE-2023-37499Aug 3, 2023
    risk 0.00cvss epss 0.00

    A Persistent Cross-site Scripting (XSS) vulnerability can be carried out in a certain field of the Unica Platform.  An attacker could hijack a user's session and perform other attacks.

  • CVE-2023-37498Aug 3, 2023
    risk 0.00cvss epss 0.00

    A user is capable of assigning him/herself to arbitrary groups by reusing a POST request issued by an administrator.  It is possible that an attacker could potentially escalate their privileges.

  • CVE-2023-37497Aug 3, 2023
    risk 0.00cvss epss 0.00

    The Unica application exposes an API which accepts arbitrary XML input. By manipulating the given XML, an authenticated attacker with certain rights can successfully perform XML External Entity attacks (XXE) against the backend service.

  • CVE-2023-28014Jul 26, 2023
    risk 0.00cvss epss 0.00

    HCL BigFix Mobile is vulnerable to a cross-site scripting attack. An authenticated attacker could inject malicious scripts into the application.

  • CVE-2023-28012Jul 26, 2023
    risk 0.00cvss epss 0.01

    HCL BigFix Mobile is vulnerable to a command injection attack. An authenticated attacker could run arbitrary shell commands on the WebUI server.

  • CVE-2023-28023Jul 18, 2023
    risk 0.00cvss epss 0.00

    A cross site request forgery vulnerability in the BigFix WebUI Software Distribution interface site version 44 and before allows an NMO attacker to access files on server side systems (server machine and all the ones in its network). 

  • CVE-2023-28021Jul 18, 2023
    risk 0.00cvss epss 0.00

    The BigFix WebUI uses weak cipher suites.

  • CVE-2023-28020Jul 18, 2023
    risk 0.00cvss epss 0.00

     URL redirection in Login page in HCL BigFix WebUI allows malicious user to redirect the client browser to an external site via redirect URL response header.

  • CVE-2023-28019Jul 18, 2023
    risk 0.00cvss epss 0.00

    Insufficient validation in Bigfix WebUI API App site version < 14 allows an authenticated WebUI user to issue SQL queries via an unparameterized SQL query.

  • CVE-2023-23348Jul 10, 2023
    risk 0.00cvss epss 0.00

    HCL Launch could disclose sensitive information if a manual edit of a configuration file has been performed.

  • CVE-2023-23344Jun 23, 2023
    risk 0.00cvss epss 0.00

    A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator page.

  • CVE-2023-28016Jun 22, 2023
    risk 0.00cvss epss 0.00

    Host Header Injection vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to supply invalid input to cause the OSD Bare Metal Server to perform a redirect to an attacker-controlled domain.

  • CVE-2023-28006Jun 22, 2023
    risk 0.00cvss epss 0.00

    The OSD Bare Metal Server uses a cryptographic algorithm that is no longer considered sufficiently secure.

  • CVE-2023-23343Jun 22, 2023
    risk 0.00cvss epss 0.00

    A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled domain.

  • CVE-2023-28015May 23, 2023
    risk 0.00cvss epss 0.00

    The HCL Domino AppDev Pack IAM service is susceptible to a User Account Enumeration vulnerability.   During a failed login attempt a difference in messages could allow an attacker to determine if the user is valid or not.  The attacker could use this information to focus a…

  • CVE-2023-28009Apr 26, 2023
    risk 0.00cvss epss 0.01

    HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

  • CVE-2023-28008Apr 26, 2023
    risk 0.00cvss epss 0.01

    HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

  • CVE-2022-42452Mar 30, 2023
    risk 0.00cvss epss 0.00

    HCL Launch is vulnerable to HTML injection.  HTML code is stored and included without being sanitized. This can lead to further attacks such as XSS and Open Redirections.

  • CVE-2022-42447Mar 27, 2023
    risk 0.00cvss epss 0.00

    HCL Compass is vulnerable to Cross-Origin Resource Sharing (CORS). This vulnerability can allow an unprivileged remote attacker to trick a legitimate user into accessing a special resource and executing a malicious request.

  • CVE-2021-27782Jan 19, 2023
    risk 0.00cvss epss 0.00

    HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced. User should be locked out for multiple invalid attempts.

  • CVE-2022-38655Dec 20, 2022
    risk 0.00cvss epss 0.00

    BigFix WebUI non-master operators are missing controls that prevent them from being able to modify the relevance of fixlets or to deploy fixlets from the BES Support external site.

  • CVE-2022-44756Dec 19, 2022
    risk 0.00cvss epss 0.00

    Insights for Vulnerability Remediation (IVR) is vulnerable to improper input validation. This may lead to information disclosure. This requires privileged access. 

  • CVE-2022-42454Dec 19, 2022
    risk 0.00cvss epss 0.00

    Insights for Vulnerability Remediation (IVR) is vulnerable to man-in-the-middle attacks that may lead to information disclosure.  This requires privileged network access.

  • CVE-2022-42453Dec 17, 2022
    risk 0.00cvss epss 0.00

    There are insufficient warnings when a Fixlet is imported by a user. The warning message currently assumes the owner of the script is the logged in user, with insufficient warnings when attempting to run the script.

  • CVE-2022-38659Dec 17, 2022
    risk 0.00cvss epss 0.00

    In specific scenarios, on Windows the operator credentials may be encrypted in a manner that is not completely machine-dependent.

  • CVE-2022-44754Dec 17, 2022
    risk 0.00cvss epss 0.01

    HCL Domino is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted Lotus Ami Pro file. This is different from the…

  • CVE-2022-44752Dec 17, 2022
    risk 0.00cvss epss 0.01

    HCL Domino is susceptible to a stack based buffer overflow vulnerability in wp6sr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted WordPerfect file.  This vulnerability applies to…

  • CVE-2022-44750Dec 17, 2022
    risk 0.00cvss epss 0.01

    HCL Domino is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted Lotus Ami Pro file. This is different from the…

  • CVE-2022-44755Dec 17, 2022
    risk 0.00cvss epss 0.01

    HCL Notes is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted Lotus Ami Pro file. This is different from the…

  • CVE-2022-44753Dec 17, 2022
    risk 0.00cvss epss 0.01

    HCL Notes is susceptible to a stack based buffer overflow vulnerability in wp6sr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted WordPerfect file.  This vulnerability applies to…

  • CVE-2022-44751Dec 17, 2022
    risk 0.00cvss epss 0.01

    HCL Notes is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted Lotus Ami Pro file. This is different from the…

  • CVE-2022-38653Dec 15, 2022
    risk 0.00cvss epss 0.00

    In HCL Digital Experience, customized XSS payload can be constructed such that it is served in the application unencoded.

  • CVE-2022-38662Dec 15, 2022
    risk 0.00cvss epss 0.00

     In HCL Digital Experience, URLs can be constructed to redirect users to untrusted sites.

  • CVE-2022-42446Nov 30, 2022
    risk 0.00cvss epss 0.00

    Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal users.

Page 6 of 8