Vendor CVEs
HCL Software
All CVEs
380 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-42445 | 0.00 | — | 0.01 | Nov 28, 2022 | HCL Launch could allow a user with administrative privileges, including "Manage Security" permissions, the ability to recover a credential previously saved for performing authenticated LDAP searches. | |||
| CVE-2022-38661 | 0.00 | — | 0.00 | Nov 4, 2022 | HCL Workload Automation could allow a local user to overwrite key system files which would cause the system to crash. | |||
| CVE-2022-38660 | 0.00 | — | 0.00 | Nov 4, 2022 | HCL XPages applications are susceptible to a Cross Site Request Forgery (CSRF) vulnerability. An unauthenticated attacker could exploit this vulnerability to perform actions in the application on behalf of the logged in user. | |||
| CVE-2020-4099 | 0.00 | — | 0.00 | Nov 1, 2022 | The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the app. | |||
| CVE-2021-27784 | 0.00 | — | 0.00 | Oct 31, 2022 | The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages. | |||
| CVE-2021-27774 | 0.00 | — | 0.00 | Sep 22, 2022 | User input included in error response, which could be used in a phishing attack. | |||
| CVE-2022-27563 | 0.00 | — | 0.01 | Aug 30, 2022 | An unauthenticated user can overload a part of HCL VersionVault Express and cause a denial of service. | |||
| CVE-2022-27560 | 0.00 | — | 0.00 | Aug 30, 2022 | HCL VersionVault Express exposes administrator credentials. | |||
| CVE-2022-27558 | 0.00 | — | 0.00 | Aug 29, 2022 | HCL iNotes is susceptible to a Broken Password Strength Checks vulnerability. Custom password policies are not enforced on certain iNotes forms which could allow users to set weak passwords, leading to easier cracking. | |||
| CVE-2022-27547 | 0.00 | — | 0.00 | Aug 29, 2022 | HCL iNotes is susceptible to a link to non-existent domain vulnerability. An attacker could use this vulnerability to trick a user into supplying sensitive information such as username, password, credit card number, etc. | |||
| CVE-2022-27546 | 0.00 | — | 0.01 | Aug 29, 2022 | HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input supplied with a form POST request. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a… | |||
| CVE-2022-22369 | 0.00 | — | 0.00 | Aug 10, 2022 | IBM Workload Scheduler 9.4 and 9.5 could allow a local user to overwrite key system files which would cause the system to crash. IBM X-Force ID: 221187. | |||
| CVE-2022-36831 | 0.00 | — | 0.00 | Aug 5, 2022 | Path traversal vulnerability in UriFileUtils of Samsung Notes prior to version 4.3.14.39 allows attacker to access some file as Samsung Notes permission. | |||
| CVE-2022-27551 | 0.00 | — | 0.00 | Aug 3, 2022 | HCL Launch could allow an authenticated user to obtain sensitive information in some instances due to improper security checking. | |||
| CVE-2021-27785 | 0.00 | — | 0.00 | Jul 29, 2022 | HCL Commerce's Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the website. | |||
| CVE-2022-27545 | 0.00 | — | 0.00 | Jul 19, 2022 | BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page. | |||
| CVE-2022-27544 | 0.00 | — | 0.00 | Jul 19, 2022 | BigFix Web Reports authorized users may see SMTP credentials in clear text. | |||
| CVE-2022-27549 | 0.00 | — | 0.00 | Jul 6, 2022 | HCL Launch may store certain data for recurring activities in a plain text format. | |||
| CVE-2022-27548 | 0.00 | — | 0.00 | Jul 6, 2022 | HCL Launch stores user credentials in plain clear text which can be read by a local user. | |||
| CVE-2021-27781 | 0.00 | — | 0.00 | May 27, 2022 | The Master operator may be able to embed script tag in HTML with alert pop-up display cookie. | |||
| CVE-2021-27780 | 0.00 | — | 0.01 | May 27, 2022 | The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment. | |||
| CVE-2021-27783 | 0.00 | — | 0.00 | May 25, 2022 | User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed. | |||
| CVE-2021-27779 | 0.00 | — | 0.01 | May 25, 2022 | VersionVault Express exposes sensitive information that an attacker can use to impersonate the server or eavesdrop on communications with the server. | |||
| CVE-2021-27777 | 0.00 | — | 0.01 | May 12, 2022 | XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references. | |||
| CVE-2021-27770 | 0.00 | — | 0.01 | May 12, 2022 | The vulnerability was discovered within the “FaviconService”. The service takes a base64-encoded URL which is then requested by the webserver. We assume this service is used by the “meetings”-function where users can specify an external URL where the online meeting will… | |||
| CVE-2021-27768 | 0.00 | — | 0.00 | May 12, 2022 | Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in… | |||
| CVE-2021-27767 | 0.00 | — | 0.00 | May 6, 2022 | The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying… | |||
| CVE-2021-27766 | 0.00 | — | 0.00 | May 6, 2022 | The BigFix Client installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying… | |||
| CVE-2021-27765 | 0.00 | — | 0.00 | May 6, 2022 | The BigFix Server API installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying… | |||
| CVE-2021-27764 | 0.00 | — | 0.01 | May 6, 2022 | Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI) | |||
| CVE-2021-27762 | 0.00 | — | 0.01 | May 6, 2022 | Misconfigured security-related HTTP headers: Several security-related headers were missing or mis-configured on the web responses | |||
| CVE-2021-27761 | 0.00 | — | 0.00 | May 6, 2022 | Weak web transport security (Weak TLS): An attacker may be able to decrypt the data using attacks | |||
| CVE-2021-27760 | 0.00 | — | 0.01 | May 6, 2022 | An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code. | |||
| CVE-2021-27753 | 0.00 | — | 0.00 | Feb 21, 2022 | "Sametime Android PathTraversal Vulnerability" | |||
| CVE-2021-27741 | 0.00 | — | 0.01 | Aug 13, 2021 | " Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection" | |||
| CVE-2021-25405 | 0.00 | — | 0.00 | Jun 11, 2021 | An improper access control vulnerability in ScreenOffActivity in Samsung Notes prior to version 4.2.04.27 allows untrusted applications to access local files. | |||
| CVE-2020-14246 | 0.00 | — | 0.01 | Feb 4, 2021 | HCL OneTest Performance V9.5, V10.0, V10.1 uses basic authentication which is relatively weak. An attacker could potentially decode the encoded credentials. | |||
| CVE-2020-14247 | 0.00 | — | 0.01 | Feb 4, 2021 | HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID. | |||
| CVE-2020-14245 | 0.00 | — | 0.01 | Feb 4, 2021 | HCL OneTest UI V9.5, V10.0, and V10.1 does not perform authentication for functionality that either requires a provable user identity or consumes a significant amount of resources. | |||
| CVE-2020-4081 | 0.00 | — | 0.01 | Feb 2, 2021 | In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS). | |||
| CVE-2020-14255 | 0.00 | — | 0.01 | Feb 2, 2021 | HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations. | |||
| CVE-2020-14221 | 0.00 | — | 0.01 | Feb 2, 2021 | HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users. | |||
| CVE-2020-4674 | 0.00 | — | 0.01 | Jan 12, 2021 | IBM Workload Automation 9.5 stores the server path in URLs that could aid in further attacks against the system. IBM X-Force ID: 186287. | |||
| CVE-2020-4673 | 0.00 | — | 0.01 | Jan 12, 2021 | IBM Workload Automation 9.5 stores sensitive information in HTML comments that could aid in further attacks against the system. IBM X-Force ID: 186286. | |||
| CVE-2020-14270 | 0.00 | — | 0.01 | Dec 22, 2020 | HCL Domino v9, v10, v11 is susceptible to an Information Disclosure vulnerability in XPages due to improper error handling of user input. An unauthenticated attacker could exploit this vulnerability to obtain information about the XPages software running on the Domino server. | |||
| CVE-2020-14224 | 0.00 | — | 0.02 | Dec 18, 2020 | A vulnerability in the MIME message handling of the HCL Notes v9 client could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the Notes application or inject code into the system which… | |||
| CVE-2020-14232 | 0.00 | — | 0.01 | Dec 17, 2020 | A vulnerability in the input parameter handling of HCL Notes v9 could potentially be exploited by an authenticated attacker resulting in a stack buffer overflow. This could allow the attacker to crash the program or inject code into the system which would execute with the… | |||
| CVE-2020-14268 | 0.00 | — | 0.02 | Dec 14, 2020 | A vulnerability in the MIME message handling of the Notes client (versions 9 and 10) could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the client or inject code into the system which… | |||
| CVE-2020-4102 | 0.00 | — | 0.00 | Dec 2, 2020 | HCL Notes is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Notes or execute attacker-controlled code on the client system. | |||
| CVE-2020-14258 | 0.00 | — | 0.01 | Nov 21, 2020 | HCL Notes is susceptible to a Denial of Service vulnerability caused by improper validation of user-supplied input. A remote unauthenticated attacker could exploit this vulnerability using a specially-crafted email message to hang the client. Versions 9, 10 and 11 are affected. |
- CVE-2022-42445Nov 28, 2022risk 0.00cvss —epss 0.01
HCL Launch could allow a user with administrative privileges, including "Manage Security" permissions, the ability to recover a credential previously saved for performing authenticated LDAP searches.
- CVE-2022-38661Nov 4, 2022risk 0.00cvss —epss 0.00
HCL Workload Automation could allow a local user to overwrite key system files which would cause the system to crash.
- CVE-2022-38660Nov 4, 2022risk 0.00cvss —epss 0.00
HCL XPages applications are susceptible to a Cross Site Request Forgery (CSRF) vulnerability. An unauthenticated attacker could exploit this vulnerability to perform actions in the application on behalf of the logged in user.
- CVE-2020-4099Nov 1, 2022risk 0.00cvss —epss 0.00
The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the app.
- CVE-2021-27784Oct 31, 2022risk 0.00cvss —epss 0.00
The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages.
- CVE-2021-27774Sep 22, 2022risk 0.00cvss —epss 0.00
User input included in error response, which could be used in a phishing attack.
- CVE-2022-27563Aug 30, 2022risk 0.00cvss —epss 0.01
An unauthenticated user can overload a part of HCL VersionVault Express and cause a denial of service.
- CVE-2022-27560Aug 30, 2022risk 0.00cvss —epss 0.00
HCL VersionVault Express exposes administrator credentials.
- CVE-2022-27558Aug 29, 2022risk 0.00cvss —epss 0.00
HCL iNotes is susceptible to a Broken Password Strength Checks vulnerability. Custom password policies are not enforced on certain iNotes forms which could allow users to set weak passwords, leading to easier cracking.
- CVE-2022-27547Aug 29, 2022risk 0.00cvss —epss 0.00
HCL iNotes is susceptible to a link to non-existent domain vulnerability. An attacker could use this vulnerability to trick a user into supplying sensitive information such as username, password, credit card number, etc.
- CVE-2022-27546Aug 29, 2022risk 0.00cvss —epss 0.01
HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input supplied with a form POST request. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a…
- CVE-2022-22369Aug 10, 2022risk 0.00cvss —epss 0.00
IBM Workload Scheduler 9.4 and 9.5 could allow a local user to overwrite key system files which would cause the system to crash. IBM X-Force ID: 221187.
- CVE-2022-36831Aug 5, 2022risk 0.00cvss —epss 0.00
Path traversal vulnerability in UriFileUtils of Samsung Notes prior to version 4.3.14.39 allows attacker to access some file as Samsung Notes permission.
- CVE-2022-27551Aug 3, 2022risk 0.00cvss —epss 0.00
HCL Launch could allow an authenticated user to obtain sensitive information in some instances due to improper security checking.
- CVE-2021-27785Jul 29, 2022risk 0.00cvss —epss 0.00
HCL Commerce's Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the website.
- CVE-2022-27545Jul 19, 2022risk 0.00cvss —epss 0.00
BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page.
- CVE-2022-27544Jul 19, 2022risk 0.00cvss —epss 0.00
BigFix Web Reports authorized users may see SMTP credentials in clear text.
- CVE-2022-27549Jul 6, 2022risk 0.00cvss —epss 0.00
HCL Launch may store certain data for recurring activities in a plain text format.
- CVE-2022-27548Jul 6, 2022risk 0.00cvss —epss 0.00
HCL Launch stores user credentials in plain clear text which can be read by a local user.
- CVE-2021-27781May 27, 2022risk 0.00cvss —epss 0.00
The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
- CVE-2021-27780May 27, 2022risk 0.00cvss —epss 0.01
The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.
- CVE-2021-27783May 25, 2022risk 0.00cvss —epss 0.00
User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed.
- CVE-2021-27779May 25, 2022risk 0.00cvss —epss 0.01
VersionVault Express exposes sensitive information that an attacker can use to impersonate the server or eavesdrop on communications with the server.
- CVE-2021-27777May 12, 2022risk 0.00cvss —epss 0.01
XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references.
- CVE-2021-27770May 12, 2022risk 0.00cvss —epss 0.01
The vulnerability was discovered within the “FaviconService”. The service takes a base64-encoded URL which is then requested by the webserver. We assume this service is used by the “meetings”-function where users can specify an external URL where the online meeting will…
- CVE-2021-27768May 12, 2022risk 0.00cvss —epss 0.00
Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in…
- CVE-2021-27767May 6, 2022risk 0.00cvss —epss 0.00
The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying…
- CVE-2021-27766May 6, 2022risk 0.00cvss —epss 0.00
The BigFix Client installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying…
- CVE-2021-27765May 6, 2022risk 0.00cvss —epss 0.00
The BigFix Server API installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying…
- CVE-2021-27764May 6, 2022risk 0.00cvss —epss 0.01
Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)
- CVE-2021-27762May 6, 2022risk 0.00cvss —epss 0.01
Misconfigured security-related HTTP headers: Several security-related headers were missing or mis-configured on the web responses
- CVE-2021-27761May 6, 2022risk 0.00cvss —epss 0.00
Weak web transport security (Weak TLS): An attacker may be able to decrypt the data using attacks
- CVE-2021-27760May 6, 2022risk 0.00cvss —epss 0.01
An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code.
- CVE-2021-27753Feb 21, 2022risk 0.00cvss —epss 0.00
"Sametime Android PathTraversal Vulnerability"
- CVE-2021-27741Aug 13, 2021risk 0.00cvss —epss 0.01
" Security vulnerability in HCL Commerce Management Center allowing XML external entity (XXE) injection"
- CVE-2021-25405Jun 11, 2021risk 0.00cvss —epss 0.00
An improper access control vulnerability in ScreenOffActivity in Samsung Notes prior to version 4.2.04.27 allows untrusted applications to access local files.
- CVE-2020-14246Feb 4, 2021risk 0.00cvss —epss 0.01
HCL OneTest Performance V9.5, V10.0, V10.1 uses basic authentication which is relatively weak. An attacker could potentially decode the encoded credentials.
- CVE-2020-14247Feb 4, 2021risk 0.00cvss —epss 0.01
HCL OneTest Performance V9.5, V10.0, V10.1 contains an inadequate session timeout, which could allow an attacker time to guess and use a valid session ID.
- CVE-2020-14245Feb 4, 2021risk 0.00cvss —epss 0.01
HCL OneTest UI V9.5, V10.0, and V10.1 does not perform authentication for functionality that either requires a provable user identity or consumes a significant amount of resources.
- CVE-2020-4081Feb 2, 2021risk 0.00cvss —epss 0.01
In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS).
- CVE-2020-14255Feb 2, 2021risk 0.00cvss —epss 0.01
HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations.
- CVE-2020-14221Feb 2, 2021risk 0.00cvss —epss 0.01
HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users.
- CVE-2020-4674Jan 12, 2021risk 0.00cvss —epss 0.01
IBM Workload Automation 9.5 stores the server path in URLs that could aid in further attacks against the system. IBM X-Force ID: 186287.
- CVE-2020-4673Jan 12, 2021risk 0.00cvss —epss 0.01
IBM Workload Automation 9.5 stores sensitive information in HTML comments that could aid in further attacks against the system. IBM X-Force ID: 186286.
- CVE-2020-14270Dec 22, 2020risk 0.00cvss —epss 0.01
HCL Domino v9, v10, v11 is susceptible to an Information Disclosure vulnerability in XPages due to improper error handling of user input. An unauthenticated attacker could exploit this vulnerability to obtain information about the XPages software running on the Domino server.
- CVE-2020-14224Dec 18, 2020risk 0.00cvss —epss 0.02
A vulnerability in the MIME message handling of the HCL Notes v9 client could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the Notes application or inject code into the system which…
- CVE-2020-14232Dec 17, 2020risk 0.00cvss —epss 0.01
A vulnerability in the input parameter handling of HCL Notes v9 could potentially be exploited by an authenticated attacker resulting in a stack buffer overflow. This could allow the attacker to crash the program or inject code into the system which would execute with the…
- CVE-2020-14268Dec 14, 2020risk 0.00cvss —epss 0.02
A vulnerability in the MIME message handling of the Notes client (versions 9 and 10) could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the client or inject code into the system which…
- CVE-2020-4102Dec 2, 2020risk 0.00cvss —epss 0.00
HCL Notes is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Notes or execute attacker-controlled code on the client system.
- CVE-2020-14258Nov 21, 2020risk 0.00cvss —epss 0.01
HCL Notes is susceptible to a Denial of Service vulnerability caused by improper validation of user-supplied input. A remote unauthenticated attacker could exploit this vulnerability using a specially-crafted email message to hang the client. Versions 9, 10 and 11 are affected.
Page 7 of 8