Vendor CVEs
HCLTech
All CVEs
132 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-30122 | 0.00 | — | 0.00 | Oct 23, 2024 | HCL Sametime is impacted by misconfigured security related HTTP headers. It was identified that some HTTP headers were missing on web service responses. This will lead to less secure browser default treatment for the policies controlled by these headers. | |||
| CVE-2023-45696 | 0.00 | — | 0.00 | Feb 10, 2024 | Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser. | |||
| CVE-2023-45716 | 0.00 | — | 0.00 | Feb 9, 2024 | Sametime is impacted by sensitive information passed in URL. | |||
| CVE-2023-50349 | 0.00 | — | 0.00 | Feb 9, 2024 | Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application. | |||
| CVE-2023-37528 | 0.00 | — | 0.00 | Feb 3, 2024 | A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save Report. | |||
| CVE-2024-23553 | 0.00 | — | 0.00 | Feb 2, 2024 | A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute. | |||
| CVE-2023-37531 | 0.00 | — | 0.00 | Feb 2, 2024 | A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a form field of a webpage by a user with privileged access. | |||
| CVE-2023-37530 | 0.00 | — | 0.00 | Feb 2, 2024 | A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information. | |||
| CVE-2023-37529 | 0.00 | — | 0.00 | Feb 2, 2024 | A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information. This is not the same vulnerability as identified in… | |||
| CVE-2023-37527 | 0.00 | — | 0.00 | Feb 2, 2024 | A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code in the application session or in database, via remote injection, while rendering content in a web page. | |||
| CVE-2023-37520 | 0.00 | — | 0.00 | Dec 21, 2023 | Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9.5.12.68, allowing for potential data exfiltration. This XSS vulnerability is in the Gather Status Report, which is served by the BigFix Relay. | |||
| CVE-2023-37519 | 0.00 | — | 0.00 | Dec 21, 2023 | Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. This XSS vulnerability is in the Download Status Report, which is served by the BigFix Server. | |||
| CVE-2022-42451 | 0.00 | — | 0.00 | Oct 11, 2023 | Certain credentials within the BigFix Patch Management Download Plug-ins are stored insecurely and could be exposed to a local privileged user. | |||
| CVE-2023-37501 | 0.00 | — | 0.00 | Aug 3, 2023 | A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign. An attacker could hijack a user's session and perform other attacks. | |||
| CVE-2023-37497 | 0.00 | — | 0.00 | Aug 3, 2023 | The Unica application exposes an API which accepts arbitrary XML input. By manipulating the given XML, an authenticated attacker with certain rights can successfully perform XML External Entity attacks (XXE) against the backend service. | |||
| CVE-2023-28021 | 0.00 | — | 0.00 | Jul 18, 2023 | The BigFix WebUI uses weak cipher suites. | |||
| CVE-2023-28020 | 0.00 | — | 0.00 | Jul 18, 2023 | URL redirection in Login page in HCL BigFix WebUI allows malicious user to redirect the client browser to an external site via redirect URL response header. | |||
| CVE-2023-28019 | 0.00 | — | 0.00 | Jul 18, 2023 | Insufficient validation in Bigfix WebUI API App site version < 14 allows an authenticated WebUI user to issue SQL queries via an unparameterized SQL query. | |||
| CVE-2023-23344 | 0.00 | — | 0.00 | Jun 23, 2023 | A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator page. | |||
| CVE-2022-42446 | 0.00 | — | 0.00 | Nov 30, 2022 | Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal users. | |||
| CVE-2022-27561 | 0.00 | — | 0.00 | Sep 15, 2022 | There is a reflected Cross-Site Scripting vulnerability in the HCL Traveler web admin (LotusTraveler.nsf). | |||
| CVE-2022-27545 | 0.00 | — | 0.00 | Jul 19, 2022 | BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page. | |||
| CVE-2022-27544 | 0.00 | — | 0.00 | Jul 19, 2022 | BigFix Web Reports authorized users may see SMTP credentials in clear text. | |||
| CVE-2021-27778 | 0.00 | — | 0.00 | May 31, 2022 | HCL Traveler is vulnerable to a cross-site scripting (XSS) caused by improper validation of the Name parameter for Approved Applications in the Traveler administration web pages. An attacker could exploit this vulnerability to execute a malicious script to access any cookies,… | |||
| CVE-2021-27771 | 0.00 | — | 0.01 | May 12, 2022 | User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containing their session ID (SID). This value is also used when… | |||
| CVE-2021-27766 | 0.00 | — | 0.00 | May 6, 2022 | The BigFix Client installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying… | |||
| CVE-2021-27755 | 0.00 | — | 0.00 | Feb 21, 2022 | "Sametime Android potential path traversal vulnerability when using File class" | |||
| CVE-2020-4104 | 0.00 | — | 0.01 | Jul 17, 2020 | HCL BigFix WebUI is vulnerable to stored cross-site scripting (XSS) within the Apps->Software module. An attacker can use XSS to send a malicious script to an unsuspecting user. This affects all versions prior to latest releases as specified in… | |||
| CVE-2019-4090 | 0.00 | — | 0.01 | Jul 17, 2020 | "HCL Campaign is vulnerable to cross-site scripting when a user provides XSS scripts in Campaign Description field." | |||
| CVE-2020-4095 | 0.00 | — | 0.00 | Jul 16, 2020 | "BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment.… | |||
| CVE-2019-4409 | 0.00 | — | 0.01 | Oct 18, 2019 | HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message… | |||
| CVE-2019-4012 | 0.00 | — | 0.02 | Apr 15, 2019 | IBM BigFix WebUI Profile Management 6 and Software Distribution 23 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID:… |
- CVE-2024-30122Oct 23, 2024risk 0.00cvss —epss 0.00
HCL Sametime is impacted by misconfigured security related HTTP headers. It was identified that some HTTP headers were missing on web service responses. This will lead to less secure browser default treatment for the policies controlled by these headers.
- CVE-2023-45696Feb 10, 2024risk 0.00cvss —epss 0.00
Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser.
- CVE-2023-45716Feb 9, 2024risk 0.00cvss —epss 0.00
Sametime is impacted by sensitive information passed in URL.
- CVE-2023-50349Feb 9, 2024risk 0.00cvss —epss 0.00
Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application.
- CVE-2023-37528Feb 3, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save Report.
- CVE-2024-23553Feb 2, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute.
- CVE-2023-37531Feb 2, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a form field of a webpage by a user with privileged access.
- CVE-2023-37530Feb 2, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information.
- CVE-2023-37529Feb 2, 2024risk 0.00cvss —epss 0.00
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information. This is not the same vulnerability as identified in…
- CVE-2023-37527Feb 2, 2024risk 0.00cvss —epss 0.00
A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code in the application session or in database, via remote injection, while rendering content in a web page.
- CVE-2023-37520Dec 21, 2023risk 0.00cvss —epss 0.00
Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9.5.12.68, allowing for potential data exfiltration. This XSS vulnerability is in the Gather Status Report, which is served by the BigFix Relay.
- CVE-2023-37519Dec 21, 2023risk 0.00cvss —epss 0.00
Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. This XSS vulnerability is in the Download Status Report, which is served by the BigFix Server.
- CVE-2022-42451Oct 11, 2023risk 0.00cvss —epss 0.00
Certain credentials within the BigFix Patch Management Download Plug-ins are stored insecurely and could be exposed to a local privileged user.
- CVE-2023-37501Aug 3, 2023risk 0.00cvss —epss 0.00
A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign. An attacker could hijack a user's session and perform other attacks.
- CVE-2023-37497Aug 3, 2023risk 0.00cvss —epss 0.00
The Unica application exposes an API which accepts arbitrary XML input. By manipulating the given XML, an authenticated attacker with certain rights can successfully perform XML External Entity attacks (XXE) against the backend service.
- CVE-2023-28021Jul 18, 2023risk 0.00cvss —epss 0.00
The BigFix WebUI uses weak cipher suites.
- CVE-2023-28020Jul 18, 2023risk 0.00cvss —epss 0.00
URL redirection in Login page in HCL BigFix WebUI allows malicious user to redirect the client browser to an external site via redirect URL response header.
- CVE-2023-28019Jul 18, 2023risk 0.00cvss —epss 0.00
Insufficient validation in Bigfix WebUI API App site version < 14 allows an authenticated WebUI user to issue SQL queries via an unparameterized SQL query.
- CVE-2023-23344Jun 23, 2023risk 0.00cvss —epss 0.00
A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator page.
- CVE-2022-42446Nov 30, 2022risk 0.00cvss —epss 0.00
Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal users.
- CVE-2022-27561Sep 15, 2022risk 0.00cvss —epss 0.00
There is a reflected Cross-Site Scripting vulnerability in the HCL Traveler web admin (LotusTraveler.nsf).
- CVE-2022-27545Jul 19, 2022risk 0.00cvss —epss 0.00
BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page.
- CVE-2022-27544Jul 19, 2022risk 0.00cvss —epss 0.00
BigFix Web Reports authorized users may see SMTP credentials in clear text.
- CVE-2021-27778May 31, 2022risk 0.00cvss —epss 0.00
HCL Traveler is vulnerable to a cross-site scripting (XSS) caused by improper validation of the Name parameter for Approved Applications in the Traveler administration web pages. An attacker could exploit this vulnerability to execute a malicious script to access any cookies,…
- CVE-2021-27771May 12, 2022risk 0.00cvss —epss 0.01
User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containing their session ID (SID). This value is also used when…
- CVE-2021-27766May 6, 2022risk 0.00cvss —epss 0.00
The BigFix Client installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying…
- CVE-2021-27755Feb 21, 2022risk 0.00cvss —epss 0.00
"Sametime Android potential path traversal vulnerability when using File class"
- CVE-2020-4104Jul 17, 2020risk 0.00cvss —epss 0.01
HCL BigFix WebUI is vulnerable to stored cross-site scripting (XSS) within the Apps->Software module. An attacker can use XSS to send a malicious script to an unsuspecting user. This affects all versions prior to latest releases as specified in…
- CVE-2019-4090Jul 17, 2020risk 0.00cvss —epss 0.01
"HCL Campaign is vulnerable to cross-site scripting when a user provides XSS scripts in Campaign Description field."
- CVE-2020-4095Jul 16, 2020risk 0.00cvss —epss 0.00
"BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment.…
- CVE-2019-4409Oct 18, 2019risk 0.00cvss —epss 0.01
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message…
- CVE-2019-4012Apr 15, 2019risk 0.00cvss —epss 0.02
IBM BigFix WebUI Profile Management 6 and Software Distribution 23 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID:…
Page 3 of 3