BigFix Insights/IVR fixlet uses improper credential handling within certain fixlet content. An attacker can gain access to information that is not explicitly...
6.5CVSS
5.2AI Score
0.0005EPSS
Certain credentials within the BigFix Patch Management Download Plug-ins are stored insecurely and could be exposed to a local privileged...
4.6CVSS
4.5AI Score
0.0004EPSS
HCL Digital Experience is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web...
9.3CVSS
6AI Score
0.0005EPSS
In some configuration scenarios, the Domino server host name can be exposed. This information could be used to target future...
5.3CVSS
5.1AI Score
0.0005EPSS
If certain App Transport Security (ATS) settings are set in a certain manner, insecure loading of web content can be...
4.3CVSS
4.6AI Score
0.0004EPSS
When the app is put to the background and the user goes to the task switcher of iOS, the app snapshot is not blurred which may reveal sensitive...
5.5CVSS
5.5AI Score
0.0004EPSS
If certain local files are manipulated in a certain manner, the validation to use the cryptographic keys can be...
7.1CVSS
6.7AI Score
0.0004EPSS
When the app is put to the background and the user goes to the task switcher of iOS, the app snapshot is not blurred which may reveal sensitive...
5.5CVSS
5.4AI Score
0.0004EPSS
HCL DRYiCE iAutomate is affected by the use of a broken cryptographic algorithm. An attacker can potentially compromise the confidentiality and integrity of sensitive...
7.1CVSS
6.8AI Score
0.0004EPSS
HCL DRYiCE MyCloud is affected by the use of a broken cryptographic algorithm. An attacker can potentially compromise the confidentiality and integrity of sensitive...
7.1CVSS
6.8AI Score
0.0004EPSS
A user is capable of assigning him/herself to arbitrary groups by reusing a POST request issued by an administrator. It is possible that an attacker could potentially escalate their...
8.8CVSS
8.7AI Score
0.001EPSS
The Unica application exposes an API which accepts arbitrary XML input. By manipulating the given XML, an authenticated attacker with certain rights can successfully perform XML External Entity attacks (XXE) against the backend...
8.8CVSS
8.5AI Score
0.001EPSS
A Persistent Cross-site Scripting (XSS) vulnerability can be carried out in a certain field of the Unica Platform. An attacker could hijack a user's session and perform other...
8.1CVSS
6AI Score
0.0005EPSS
A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign. An attacker could hijack a user's session and perform other...
8.1CVSS
6AI Score
0.0005EPSS
A Persistent Cross-site Scripting (XSS) vulnerability can be carried out on certain pages of Unica Platform. An attacker could hijack a user's session and perform other...
8.1CVSS
6AI Score
0.0005EPSS
HCL Verse is susceptible to a Stored Cross Site Scripting (XSS) vulnerability. An attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive...
8.3CVSS
5.3AI Score
0.0004EPSS
HCL Verse is susceptible to a Reflected Cross Site Scripting (XSS) vulnerability. By tricking a user into entering crafted markup a remote, unauthenticated attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session...
6.5CVSS
6.1AI Score
0.001EPSS
HCL BigFix Mobile is vulnerable to a command injection attack. An authenticated attacker could run arbitrary shell commands on the WebUI...
8.8CVSS
8.9AI Score
0.001EPSS
HCL BigFix Mobile is vulnerable to a cross-site scripting attack. An authenticated attacker could inject malicious scripts into the...
6.6CVSS
5.1AI Score
0.0005EPSS
A cross site request forgery vulnerability in the BigFix WebUI Software Distribution interface site version 44 and before allows an NMO attacker to access files on server side systems (server machine and all the ones in its...
6.5CVSS
6.4AI Score
0.001EPSS
URL redirection in Login page in HCL BigFix WebUI allows malicious user to redirect the client browser to an external site via redirect URL response...
6.1CVSS
6.2AI Score
0.001EPSS
7.5CVSS
7.5AI Score
0.001EPSS
Insufficient validation in Bigfix WebUI API App site version < 14 allows an authenticated WebUI user to issue SQL queries via an unparameterized SQL...
8.8CVSS
8.6AI Score
0.001EPSS
The OSD Bare Metal Server uses a cryptographic algorithm that is no longer considered sufficiently...
7.8CVSS
7.5AI Score
0.0004EPSS
A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled...
6.1CVSS
6.2AI Score
0.0005EPSS
Host Header Injection vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to supply invalid input to cause the OSD Bare Metal Server to perform a redirect to an attacker-controlled...
6.1CVSS
6.3AI Score
0.0005EPSS
A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator...
6.5CVSS
6.3AI Score
0.0005EPSS
The vulnerability was discovered within the “FaviconService”. The service takes a base64-encoded URL which is then requested by the webserver. We assume this service is used by the “meetings”-function where users can specify an external URL where the online meeting will take...
8.8CVSS
8.6AI Score
0.002EPSS
Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag....
7.4CVSS
6.5AI Score
0.002EPSS
HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory...
8.1CVSS
8AI Score
0.001EPSS
HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory...
8.1CVSS
8AI Score
0.001EPSS
The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the...
7.5CVSS
7.4AI Score
0.001EPSS
The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer...
7.5CVSS
7.4AI Score
0.001EPSS
5.4CVSS
5.5AI Score
0.001EPSS
There is a reflected Cross-Site Scripting vulnerability in the HCL Traveler web admin...
7.5CVSS
5AI Score
0.001EPSS
6.5CVSS
6.4AI Score
0.001EPSS
An unauthenticated user can overload a part of HCL VersionVault Express and cause a denial of...
7.5CVSS
7.5AI Score
0.001EPSS
HCL iNotes is susceptible to a link to non-existent domain vulnerability. An attacker could use this vulnerability to trick a user into supplying sensitive information such as username, password, credit card number,...
7.4CVSS
7.1AI Score
0.002EPSS
HCL iNotes is susceptible to a Broken Password Strength Checks vulnerability. Custom password policies are not enforced on certain iNotes forms which could allow users to set weak passwords, leading to easier...
7.5CVSS
7.5AI Score
0.002EPSS
HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input supplied with a form POST request. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's web browser...
8.3CVSS
6.2AI Score
0.001EPSS
BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration...
5.4CVSS
5.7AI Score
0.001EPSS
6.5CVSS
6.5AI Score
0.001EPSS
Cross-origin resource sharing (CORS) enables browsers to perform cross domain requests in a controlled manner. This request has an Origin header that identifies the domain that is making the initial request and defines the protocol between a browser and server to see if the request is allowed. An.....
9.8CVSS
9AI Score
0.002EPSS
HCL Traveler is vulnerable to a cross-site scripting (XSS) caused by improper validation of the Name parameter for Approved Applications in the Traveler administration web pages. An attacker could exploit this vulnerability to execute a malicious script to access any cookies, session tokens, or...
4.9CVSS
5AI Score
0.001EPSS
The Master operator may be able to embed script tag in HTML with alert pop-up display...
6.6CVSS
5AI Score
0.001EPSS
The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device...
5.3CVSS
5.3AI Score
0.001EPSS
User generated PPKG file for Bulk Enroll may have unencrypted sensitive information...
6.8CVSS
6.3AI Score
0.001EPSS
VersionVault Express exposes sensitive information that an attacker can use to impersonate the server or eavesdrop on communications with the...
9.1CVSS
9AI Score
0.002EPSS
HCL Domino is affected by an Insufficient Access Control vulnerability. An authenticated attacker with local access to the system could exploit this vulnerability to attain escalation of privileges, denial of service, or information...
8.8CVSS
7.4AI Score
0.0004EPSS
XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity...
7.5CVSS
7.8AI Score
0.001EPSS