HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. If the session identifier can be discovered, it could be replayed to the application and used to impersonate the...
7.1CVSS
6.3AI Score
0.0005EPSS
An unquoted service path vulnerability in HCL AppScan Presence, deployed as a Windows service in HCL AppScan on Cloud (ASoC), may allow a local attacker to gain elevated...
7.8CVSS
7.7AI Score
0.0004EPSS
BigFix Insights for Vulnerability Remediation (IVR) uses weak cryptography that can lead to credential exposure. An attacker could gain access to sensitive information, modify data in unexpected ways,...
8.2CVSS
8.1AI Score
0.001EPSS
BigFix Insights/IVR fixlet uses improper credential handling within certain fixlet content. An attacker can gain access to information that is not explicitly...
6.5CVSS
5.2AI Score
0.0005EPSS
Certain credentials within the BigFix Patch Management Download Plug-ins are stored insecurely and could be exposed to a local privileged...
4.6CVSS
4.5AI Score
0.0004EPSS
HCL Digital Experience is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web...
9.3CVSS
6AI Score
0.0005EPSS
In some configuration scenarios, the Domino server host name can be exposed. This information could be used to target future...
5.3CVSS
5.1AI Score
0.0005EPSS
If certain App Transport Security (ATS) settings are set in a certain manner, insecure loading of web content can be...
4.3CVSS
4.6AI Score
0.0004EPSS
When the app is put to the background and the user goes to the task switcher of iOS, the app snapshot is not blurred which may reveal sensitive...
5.5CVSS
5.5AI Score
0.0004EPSS
When the app is put to the background and the user goes to the task switcher of iOS, the app snapshot is not blurred which may reveal sensitive...
5.5CVSS
5.4AI Score
0.0004EPSS
If certain local files are manipulated in a certain manner, the validation to use the cryptographic keys can be...
7.1CVSS
6.7AI Score
0.0004EPSS
HCL DRYiCE iAutomate is affected by the use of a broken cryptographic algorithm. An attacker can potentially compromise the confidentiality and integrity of sensitive...
7.1CVSS
6.8AI Score
0.0004EPSS
HCL DRYiCE MyCloud is affected by the use of a broken cryptographic algorithm. An attacker can potentially compromise the confidentiality and integrity of sensitive...
7.1CVSS
6.8AI Score
0.0004EPSS
The Unica application exposes an API which accepts arbitrary XML input. By manipulating the given XML, an authenticated attacker with certain rights can successfully perform XML External Entity attacks (XXE) against the backend...
8.8CVSS
8.5AI Score
0.001EPSS
A user is capable of assigning him/herself to arbitrary groups by reusing a POST request issued by an administrator. It is possible that an attacker could potentially escalate their...
8.8CVSS
8.7AI Score
0.001EPSS
A Persistent Cross-site Scripting (XSS) vulnerability can be carried out on certain pages of Unica Platform. An attacker could hijack a user's session and perform other...
8.1CVSS
6AI Score
0.0005EPSS
A Persistent Cross-site Scripting (XSS) vulnerability can be carried out in a certain field of the Unica Platform. An attacker could hijack a user's session and perform other...
8.1CVSS
6AI Score
0.0005EPSS
A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign. An attacker could hijack a user's session and perform other...
8.1CVSS
6AI Score
0.0005EPSS
HCL Verse is susceptible to a Stored Cross Site Scripting (XSS) vulnerability. An attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive...
8.3CVSS
5.3AI Score
0.0005EPSS
HCL Verse is susceptible to a Reflected Cross Site Scripting (XSS) vulnerability. By tricking a user into entering crafted markup a remote, unauthenticated attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session...
6.5CVSS
6.1AI Score
0.001EPSS
HCL BigFix Mobile is vulnerable to a command injection attack. An authenticated attacker could run arbitrary shell commands on the WebUI...
8.8CVSS
8.9AI Score
0.001EPSS
HCL BigFix Mobile is vulnerable to a cross-site scripting attack. An authenticated attacker could inject malicious scripts into the...
6.6CVSS
5.1AI Score
0.0005EPSS
A cross site request forgery vulnerability in the BigFix WebUI Software Distribution interface site version 44 and before allows an NMO attacker to access files on server side systems (server machine and all the ones in its...
6.5CVSS
6.4AI Score
0.001EPSS
URL redirection in Login page in HCL BigFix WebUI allows malicious user to redirect the client browser to an external site via redirect URL response...
6.1CVSS
6.2AI Score
0.001EPSS
7.5CVSS
7.5AI Score
0.001EPSS
Insufficient validation in Bigfix WebUI API App site version < 14 allows an authenticated WebUI user to issue SQL queries via an unparameterized SQL...
8.8CVSS
8.6AI Score
0.001EPSS
HCL Launch could disclose sensitive information if a manual edit of a configuration file has been...
5.5CVSS
5.3AI Score
0.0004EPSS
5.5CVSS
5.4AI Score
0.0004EPSS
A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator...
6.5CVSS
6.3AI Score
0.001EPSS
A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled...
6.1CVSS
6.2AI Score
0.001EPSS
Host Header Injection vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to supply invalid input to cause the OSD Bare Metal Server to perform a redirect to an attacker-controlled...
6.1CVSS
6.3AI Score
0.001EPSS
The OSD Bare Metal Server uses a cryptographic algorithm that is no longer considered sufficiently...
7.8CVSS
7.5AI Score
0.0004EPSS
The vulnerability was discovered within the “FaviconService”. The service takes a base64-encoded URL which is then requested by the webserver. We assume this service is used by the “meetings”-function where users can specify an external URL where the online meeting will take...
8.8CVSS
8.6AI Score
0.002EPSS
Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag....
7.4CVSS
6.5AI Score
0.002EPSS
The HCL Domino AppDev Pack IAM service is susceptible to a User Account Enumeration vulnerability. During a failed login attempt a difference in messages could allow an attacker to determine if the user is valid or not. The attacker could use this information to focus a brute force attack on...
5.3CVSS
5.1AI Score
0.0005EPSS
HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory...
8.1CVSS
8AI Score
0.001EPSS
HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory...
8.1CVSS
8AI Score
0.001EPSS
The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the...
7.5CVSS
7.4AI Score
0.001EPSS
The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer...
7.5CVSS
7.4AI Score
0.001EPSS
5.4CVSS
5.5AI Score
0.001EPSS
There is a reflected Cross-Site Scripting vulnerability in the HCL Traveler web admin...
7.5CVSS
5AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
An unauthenticated user can overload a part of HCL VersionVault Express and cause a denial of...
7.5CVSS
7.5AI Score
0.001EPSS
HCL iNotes is susceptible to a Broken Password Strength Checks vulnerability. Custom password policies are not enforced on certain iNotes forms which could allow users to set weak passwords, leading to easier...
7.5CVSS
7.5AI Score
0.002EPSS
HCL iNotes is susceptible to a link to non-existent domain vulnerability. An attacker could use this vulnerability to trick a user into supplying sensitive information such as username, password, credit card number,...
7.4CVSS
7.1AI Score
0.002EPSS
HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input supplied with a form POST request. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's web browser...
8.3CVSS
6.2AI Score
0.001EPSS
HCL Launch could allow an authenticated user to obtain sensitive information in some instances due to improper security...
6.5CVSS
6.1AI Score
0.001EPSS
HCL Commerce's Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the...
5CVSS
5AI Score
0.0004EPSS
BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration...
5.4CVSS
5.7AI Score
0.001EPSS
6.5CVSS
6.5AI Score
0.001EPSS