MidnightBSD

Advisories for hcltech

CVE-2017-1712 MEDIUM

"A vulnerability in the TLS protocol implementation of the Domino server could allow an unauthenticated, remote attacker to access sensitive information, aka a Return of Bleichenbacher's Oracle Threat (ROBOT) attack. An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-326,

Products Affected

Vendor Product Version
hcltech domino *
CVE-2018-11518 MEDIUM

A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them for service activations. This is a request-forgery issue when the required series of DTMF signals for a service activation is predictable (e.g., the IVR system does not speak a nonce to the caller). In this case, the IVR system accepts an activation request from a less-secure channel (any loudspeaker in the caller's physical environment) without verifying that the request was intended (it matches a nonce sent over a more-secure channel to the caller's earpiece).

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
hcltech legacy_ivr_firmware -
CVE-2019-16188 MEDIUM

HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H 1.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
hcltech appscan_source *
CVE-2019-4090 LOW

"HCL Campaign is vulnerable to cross-site scripting when a user provides XSS scripts in Campaign Description field."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech marketing_campaign *
hcltech marketing_campaign 11.0.1
CVE-2019-4091 LOW

"HCL Marketing Platform is vulnerable to cross-site scripting during addition of new users and also while searching for users in Dashboard, potentially giving an attacker ability to inject malicious code into the system. "

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech marketing_campaign *
hcltech marketing_campaign 9.1.2.4
CVE-2019-4209 MEDIUM

HCL Connections v5.5, v6.0, and v6.5 contains an open redirect vulnerability which could be exploited by an attacker to conduct phishing attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-601,

Products Affected

Vendor Product Version
hcltech connections 6.5
hcltech connections 6.0
hcltech connections 5.5
CVE-2019-4301 MEDIUM

BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.4 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H 1.7 6.0

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hcltech self-service_application 3.0.0
CVE-2019-4323 MEDIUM

"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-1021,

Products Affected

Vendor Product Version
hcltech appscan *
CVE-2019-4324 MEDIUM

"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech appscan *
CVE-2019-4325 MEDIUM

"HCL AppScan Enterprise makes use of broken or risky cryptographic algorithm to store REST API user details."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
hcltech appscan *
CVE-2019-4326 MEDIUM

"HCL AppScan Enterprise security rules update administration section of the web application console is missing HTTP Strict-Transport-Security Header."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-116,

Products Affected

Vendor Product Version
hcltech appscan *
CVE-2019-4327 MEDIUM

"HCL AppScan Enterprise uses hard-coded credentials which can be exploited by attackers to get unauthorized access to application's encrypted files."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-798,

Products Affected

Vendor Product Version
hcltech appscan *
CVE-2019-4388 LOW

HCL AppScan Source 9.0.3.13 and earlier is susceptible to cross-site scripting (XSS) attacks by allowing users to embed arbitrary JavaScript code in the Web UI.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech appscan_source *
CVE-2019-4391 MEDIUM

HCL AppScan Standard is vulnerable to XML External Entity Injection (XXE) attack when processing XML data

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L 3.9 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-611,

Products Affected

Vendor Product Version
hcltech appscan *
CVE-2019-4392 HIGH

HCL AppScan Standard Edition 9.0.3.13 and earlier uses hard-coded credentials which can be exploited by attackers to get unauthorized access to the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-798,

Products Affected

Vendor Product Version
hcltech appscan *
CVE-2019-4393 MEDIUM

HCL AppScan Standard is vulnerable to excessive authorization attempts

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-307,

Products Affected

Vendor Product Version
hcltech appscan *
CVE-2019-4409 LOW

HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entered file name. If the file name is not escaped in the returned error page, it could expose a cross-site scripting (XSS) vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech traveler *
CVE-2020-14221 MEDIUM

HCL Digital Experience 8.5, 9.0, and 9.5 exposes information about the server to unauthorized users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hcltech digital_experience 9.0
hcltech digital_experience 9.5
hcltech digital_experience 8.5
CVE-2020-14222 MEDIUM

HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web site).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech hcl_digital_experience 9.5
hcltech hcl_digital_experience 9.0
hcltech hcl_digital_experience 8.5
CVE-2020-14223 MEDIUM

HCL Digital Experience 8.5, 9.0, 9.5 is susceptible to cross-site scripting (XSS). The vulnerability could be employed in a reflected or non-persistent XSS attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech digital_experience 9.0
hcltech digital_experience 9.5
hcltech digital_experience 8.5
CVE-2020-14224 HIGH

A vulnerability in the MIME message handling of the HCL Notes v9 client could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the Notes application or inject code into the system which would execute with the privileges of the currently logged-in user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
hcltech notes 9.0.1
hcltech notes 9.0
CVE-2020-14225 MEDIUM

HCL iNotes is susceptible to a Tabnabbing vulnerability caused by improper sanitization of message content. A remote unauthenticated attacker could use this vulnerability to trick the end user into entering sensitive information such as credentials, e.g. as part of a phishing attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
hcltechsw hcl_inotes 9.0.1
hcltechsw hcl_inotes *
hcltech hcl_inotes 10.0.1
hcltech hcl_inotes 11.0.0
CVE-2020-14230 MEDIUM

HCL Domino is susceptible to a Denial of Service vulnerability caused by improper validation of user-supplied input. A remote unauthenticated attacker could exploit this vulnerability using a specially-crafted email message to hang the server. Versions previous to releases 9.0.1 FP10 IF6, 10.0.1 FP5 and 11.0.1 are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
hcltech domino 9.0.1
hcltech domino *
hcltech domino 10.0.1
CVE-2020-14232 HIGH

A vulnerability in the input parameter handling of HCL Notes v9 could potentially be exploited by an authenticated attacker resulting in a stack buffer overflow. This could allow the attacker to crash the program or inject code into the system which would execute with the privileges of the currently logged in user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
hcltech notes 9.0.1
hcltech notes 9.0
CVE-2020-14234 MEDIUM

HCL Domino is susceptible to a Denial of Service vulnerability due to improper validation of user-supplied input, potentially giving an attacker the ability to crash the server. Versions previous to release 9.0.1 FP10 IF6 and release 10.0.1 are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
hcltech domino 9.0.1
hcltech domino *
CVE-2020-14240 MEDIUM

HCL Notes versions previous to releases 9.0.1 FP10 IF8, 10.0.1 FP6 and 11.0.1 FP1 is susceptible to a Stored Cross-site Scripting (XSS) vulnerability. An attacker could use this vulnerability to execute script in a victim's Web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech notes 9.0.1
hcltech notes 10.0.1
hcltech notes *
CVE-2020-14244 HIGH

A vulnerability in the MIME message handling of the Domino server (versions 9 and 10) could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the server or inject code into the system which would execute with the privileges of the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
hcltech domino *
hcltech domino 10.0.1
CVE-2020-14248 MEDIUM

BigFix Inventory up to v10.0.2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2020-14254 MEDIUM

TLS-RSA cipher suites are not disabled in HCL BigFix Inventory up to v10.0.2. If TLS 2.0 and secure ciphers are not enabled then an attacker can passively record traffic and later decrypt it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2020-14255 MEDIUM

HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hcltech digital_experience 9.5
CVE-2020-14258 MEDIUM

HCL Notes is susceptible to a Denial of Service vulnerability caused by improper validation of user-supplied input. A remote unauthenticated attacker could exploit this vulnerability using a specially-crafted email message to hang the client. Versions 9, 10 and 11 are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
hcltech notes 11.0
hcltech notes 10.0
hcltech notes 9.0
CVE-2020-14260 HIGH

HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
hcltech domino *
CVE-2020-14263 LOW

"HCL Traveler Companion is vulnerable to an iOS weak cryptographic process vulnerability via the included MobileIron AppConnect SDK"

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.9 LOW CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.3 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-732,

Products Affected

Vendor Product Version
hcltech traveler_companion *
CVE-2020-14264 LOW

"HCL Traveler Companion is vulnerable to an iOS weak cryptographic process vulnerability via the included MobileIron AppConnect SDK"

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.9 LOW CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.3 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-327,

Products Affected

Vendor Product Version
hcltech traveler_companion *
CVE-2020-14268 HIGH

A vulnerability in the MIME message handling of the Notes client (versions 9 and 10) could potentially be exploited by an unauthenticated attacker resulting in a stack buffer overflow. This could allow a remote attacker to crash the client or inject code into the system which would execute with the privileges of the client.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-787,

Products Affected

Vendor Product Version
hcltech notes 9.0.1
hcltech notes 10.0.1
hcltech notes *
CVE-2020-14270 MEDIUM

HCL Domino v9, v10, v11 is susceptible to an Information Disclosure vulnerability in XPages due to improper error handling of user input. An unauthenticated attacker could exploit this vulnerability to obtain information about the XPages software running on the Domino server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-755,

Products Affected

Vendor Product Version
hcltech domino *
hcltech domino 10.0.1
hcltech domino 11.0.1
hcltech domino 11.0.0
CVE-2020-14271 MEDIUM

HCL iNotes v9, v10 and v11 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to improper handling of message content. An unauthenticated remote attacker could exploit this vulnerability using specially-crafted markup to execute script in a victim's web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech hcl_inotes *
hcltech hcl_inotes 10.0.1
hcltech hcl_inotes 11.0.1
CVE-2020-14273 MEDIUM

HCL Domino is susceptible to a Denial of Service (DoS) vulnerability due to insufficient validation of input to its public API. An unauthenticated attacker could could exploit this vulnerability to crash the Domino server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
hcltech domino 10.0.1
hcltech domino 11.0.1
hcltech domino 11.0.0
CVE-2020-4080 MEDIUM

HCL Verse v10 and v11 is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability due to improper handling of message content. An unauthenticated remote attacker could exploit this vulnerability using specially-crafted markup to execute script in a victim's web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech domino 11.0
hcltech domino 10.0.1
hcltech domino 11.0.1
hcltech domino 10.0.0
CVE-2020-4081 MEDIUM

In Digital Experience 8.5, 9.0, and 9.5, WSRP consumer is vulnerable to cross-site scripting (XSS).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech digital_experience 9.0
hcltech digital_experience 9.5
hcltech digital_experience 8.5
CVE-2020-4082 LOW

The HCL Connections 5.5 help system is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech connections 5.5
CVE-2020-4083 LOW

HCL Connections 6.5 is vulnerable to possible information leakage. Connections could disclose sensitive information via trace logs to a local user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-532,

Products Affected

Vendor Product Version
hcltech connections 6.5
CVE-2020-4084 LOW

HCL Connections v5.5, v6.0, and v6.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech connections 6.5
hcltech connections 6.0
hcltech connections 5.5
CVE-2020-4085 MEDIUM

"HCL Connections is vulnerable to possible information leakage and could disclose sensitive information via stack trace to a local user."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-209,

Products Affected

Vendor Product Version
hcltech connections 6.5
hcltech connections 6.0
hcltech connections 5.5
CVE-2020-4089 MEDIUM

HCL Notes is vulnerable to an information leakage vulnerability through its support for the 'mailto' protocol. This vulnerability could result in files from the user's filesystem or connected network filesystems being leaked to a third party. All versions of HCL Notes 9, 10 and 11 are affected.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hcltech notes 11.0
hcltech notes 10.0
hcltech notes 9.0
CVE-2020-4092 MEDIUM

"If port encryption is not enabled on the Domino Server, HCL Nomad on Android and iOS Platforms will communicate in clear text and does not currently have a user interface option to change the setting to request an encrypted communication channel with the Domino server. This can potentially expose sensitive information including but not limited to server names, user IDs and document content."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-319,

Products Affected

Vendor Product Version
hcltech hcl_nomad 1.0.1
hcltech hcl_nomad 1.0.7
hcltech hcl_nomad 1.0.8
hcltech hcl_nomad 1.0.4
hcltech hcl_nomad 1.0.3
hcltech hcl_nomad 1.0.6
hcltech hcl_nomad 1.0.2
hcltech hcl_nomad 1.0
hcltech hcl_nomad 1.0.5
CVE-2020-4095 LOW

"BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment. The principle of least privilege should be applied to all BigFix deployments, limiting administrative access."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 1.5 4.0

CVSS 2.0

Severity: LOW

Problem Type: CWE-312,CWE-522,

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2020-4097 MEDIUM

In HCL Notes version 9 previous to release 9.0.1 FixPack 10 Interim Fix 8, version 10 previous to release 10.0.1 FixPack 6 and version 11 previous to 11.0.1 FixPack 1, a vulnerability in the input parameter handling of the Notes Client could potentially be exploited by an attacker resulting in a buffer overflow. This could enable an attacker to crash HCL Notes or execute attacker-controlled code on the client.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.8 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.9 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-120,

Products Affected

Vendor Product Version
hcltech notes 10.0.0
hcltech notes 9.0.1
hcltech notes 10.0.1
hcltech notes *
CVE-2020-4099

The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the app.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 2.2 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
hcltech verse *
CVE-2020-4101 HIGH

"HCL Digital Experience is susceptible to Server Side Request Forgery."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-918,

Products Affected

Vendor Product Version
hcltech hcl_digital_experience 9.5
hcltech hcl_digital_experience 9.0
hcltech hcl_digital_experience 8.5
CVE-2020-4102 HIGH

HCL Notes is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Notes or execute attacker-controlled code on the client system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
hcltech notes 11.0
hcltech notes 11.0.1
hcltech notes 10.0
hcltech notes 10.0.1
hcltech notes *
CVE-2020-4104 LOW

HCL BigFix WebUI is vulnerable to stored cross-site scripting (XSS) within the Apps->Software module. An attacker can use XSS to send a malicious script to an unsuspecting user. This affects all versions prior to latest releases as specified in https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080855&sys_kb_id=971d99ed1b8ed01c086dcbfc0a4bcb6a.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
hcltech bigfix_webui -
CVE-2020-4107 MEDIUM

HCL Domino is affected by an Insufficient Access Control vulnerability. An authenticated attacker with local access to the system could exploit this vulnerability to attain escalation of privileges, denial of service, or information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-284,NVD-CWE-Other,

Products Affected

Vendor Product Version
hcltech domino 11.0
hcltech domino 10.0
hcltech domino 9.0
CVE-2020-4126 MEDIUM

HCL iNotes is susceptible to a sensitive cookie exposure vulnerability. This can allow an unauthenticated remote attacker to capture the cookie by intercepting its transmission within an http session. Fixes are available in HCL Domino and iNotes versions 10.0.1 FP6 and 11.0.1 FP2 and later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-311,

Products Affected

Vendor Product Version
hcltech hcl_inotes *
hcltech hcl_inotes 10.0.1
hcltech hcl_inotes 11.0.1
CVE-2020-4127 MEDIUM

HCL Domino is susceptible to a Login CSRF vulnerability. With a valid credential, an attacker could trick a user into accessing a system under another ID or use an intranet user's system to access internal systems from the internet. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
hcltech hcl_domino 9.0.1
hcltech hcl_domino *
hcltech hcl_domino 10.0.1
CVE-2020-4128 MEDIUM

HCL Domino is susceptible to a lockout policy bypass vulnerability in the ID Vault service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the ID Vault service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hcltech domino *
hcltech domino 10.0.1
CVE-2020-4129 MEDIUM

HCL Domino is susceptible to a lockout policy bypass vulnerability in the LDAP service. An unauthenticated attacker could use this vulnerability to mount a brute force attack against the LDAP service. Fixes are available in HCL Domino versions 9.0.1 FP10 IF6, 10.0.1 FP6 and 11.0.1 FP1 and later.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hcltech hcl_domino 9.0.1
hcltech hcl_domino *
hcltech hcl_domino 10.0.1
CVE-2021-27753 LOW

"Sametime Android PathTraversal Vulnerability"

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-22,

Products Affected

Vendor Product Version
hcltech hcl_sametime *
CVE-2021-27755 LOW

"Sametime Android potential path traversal vulnerability when using File class"

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 1.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-22,

Products Affected

Vendor Product Version
hcltech hcl_sametime *
CVE-2021-27756 MEDIUM

"TLS-RSA cipher suites are not disabled in BigFix Compliance up to v2.0.5. If TLS 2.0 and secure ciphers are not enabled then an attacker can passively record traffic and later decrypt it."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
hcltech bigfix_compliance *
CVE-2021-27757 MEDIUM

" Insecure password storage issue.The application stores sensitive information in cleartext within a resource that might be accessible to another control sphere.Since the information is stored in cleartext, attackers could potentially read it and gain access to sensitive information."

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-312,

Products Affected

Vendor Product Version
hcltech bigfix_insights *
CVE-2021-27758 MEDIUM

There is a security vulnerability in login form related to Cross-site Request Forgery which prevents user to login after attacker spam to login and system blocked victim's account.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6
psirt@hcl.com 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-352,

Products Affected

Vendor Product Version
hcltech bigfix_inventory *
CVE-2021-27759 MEDIUM

This vulnerability arises because the application allows the user to perform some sensitive action without verifying that the request was sent intentionally. An attacker can cause a victim's browser to emit an HTTP request to an arbitrary URL in the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.3 LOW CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 0.9 1.4
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,CWE-345,

Products Affected

Vendor Product Version
hcltech bigfix_inventory *
CVE-2021-27760 MEDIUM

An issue was discovered in the Sametime chat feature in the Notes 11.0 - 11.0.1 FP4 clients. An authenticated Sametime chat user could cause Remote Code Execution on another chat client by sending a specially formatted message through chat containing Javascript code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 2.1 3.4
psirt@hcl.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L 2.1 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hcltech hcl_inotes 11.0.0
hcltech hcl_inotes 11.0.1
CVE-2021-27761 MEDIUM

Weak web transport security (Weak TLS): An attacker may be able to decrypt the data using attacks

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-326,

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2021-27762 HIGH

Misconfigured security-related HTTP headers: Several security-related headers were missing or mis-configured on the web responses

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N 2.8 1.4
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2021-27764 MEDIUM

Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6
psirt@hcl.com 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N 2.8 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-614,CWE-311,CWE-732,

Products Affected

Vendor Product Version
hcltech bigfix_webui -
CVE-2021-27765 MEDIUM

The BigFix Server API installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N 1.5 4.7
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2021-27766 MEDIUM

The BigFix Client installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
psirt@hcl.com 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N 1.5 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2021-27767 MEDIUM

The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
psirt@hcl.com 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N 1.5 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,CWE-269,

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2021-27768 MEDIUM

Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in 'transparent' mode while a certificate with an invalid hostname was active. The Android application was found to have hostname verification issues during the server setup and login flows; however, the application did not process requests post-login.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6
psirt@hcl.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N 2.1 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-300,CWE-295,

Products Affected

Vendor Product Version
hcltech verse *
CVE-2021-27769 MEDIUM

Information leakage occurs when a website reveals information that could aid an attacker to further exploit the system. This information may or may not be sensitive and does not automatically mean a breach is likely to occur. Overall, any information that could be used for an attack should be limited whenever possible.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-472,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hcltech sametime 11.6
CVE-2021-27770 MEDIUM

The vulnerability was discovered within the “FaviconService”. The service takes a base64-encoded URL which is then requested by the webserver. We assume this service is used by the “meetings”-function where users can specify an external URL where the online meeting will take place.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
psirt@hcl.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L 2.1 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-472,NVD-CWE-Other,

Products Affected

Vendor Product Version
hcltech sametime 11.6
CVE-2021-27771 MEDIUM

User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containing their session ID (SID). This value is also used when sending chat messages, receiving notifications and/or transferring files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H 2.3 5.3
nvd@nist.gov 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-434,CWE-434,

Products Affected

Vendor Product Version
hcltech sametime 11.6
CVE-2021-27772 MEDIUM

Users are able to read group conversations without actively taking part in them. Next to one to one conversations, users are able to start group conversations with multiple users. It was found possible to obtain the contents of these group conversations without being part of it. This could lead to information leakage where confidential information discussed in private groups is read by other users without the users knowledge.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L 2.8 4.2
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-285,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hcltech sametime 11.6
CVE-2021-27773 MEDIUM

This vulnerability allows users to execute a clickjacking attack in the meeting's chat.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.2 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N 1.6 2.5
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-451,CWE-1021,

Products Affected

Vendor Product Version
hcltech sametime 11.6
CVE-2021-27774

User input included in error response, which could be used in a phishing attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N 1.6 1.4
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
hcltech hcl_digital_experience 9.5
hcltech hcl_digital_experience 9.0
hcltech hcl_digital_experience 8.5
CVE-2021-27777 MEDIUM

XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-91,CWE-611,

Products Affected

Vendor Product Version
hcltech unica *
CVE-2021-27778 LOW

HCL Traveler is vulnerable to a cross-site scripting (XSS) caused by improper validation of the Name parameter for Approved Applications in the Traveler administration web pages. An attacker could exploit this vulnerability to execute a malicious script to access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7
psirt@hcl.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:L 1.8 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
hcltech traveler *
CVE-2021-27779 MEDIUM

VersionVault Express exposes sensitive information that an attacker can use to impersonate the server or eavesdrop on communications with the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2
psirt@hcl.com 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-311,CWE-311,

Products Affected

Vendor Product Version
hcltech versionvault_express 2.0.1
CVE-2021-27780 MEDIUM

The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-112,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
hcltech modern_client_management *
hcltech bigfix_mobile *
CVE-2021-27781 LOW

The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7
psirt@hcl.com 6.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L 2.3 3.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
hcltech modern_client_management *
hcltech bigfix_mobile *
CVE-2021-27782

HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced. User should be locked out for multiple invalid attempts.

Products Affected

Vendor Product Version
hcltech bigfix_mobile 2.0
CVE-2021-27783 MEDIUM

User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
psirt@hcl.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:L 2.1 4.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-311,CWE-311,

Products Affected

Vendor Product Version
hcltech bigfix_modern_client_management 2.0
hcltech bigfix_modern_client_management 2.1
hcltech bigfix_mobile 2.0
hcltech bigfix_mobile 2.1
CVE-2021-27784

The provided HCL Launch Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
psirt@hcl.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
hcltech hcl_launch_container_image *
hcltech hcl_launch_container_image 7.1.0.1
CVE-2021-27786 MEDIUM

Cross-origin resource sharing (CORS) enables browsers to perform cross domain requests in a controlled manner. This request has an Origin header that identifies the domain that is making the initial request and defines the protocol between a browser and server to see if the request is allowed. An attacker can take advantage of this and possibly carry out privileged actions and access sensitive information when the Access-Control-Allow-Credentials is enabled.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
psirt@hcl.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-942,CWE-697,

Products Affected

Vendor Product Version
hcltech onetest_server 10.2
hcltech onetest_server 10.1
hcltech onetest_server 10.0
CVE-2021-27788

HCL Verse is susceptible to a Cross Site Scripting (XSS) vulnerability.  By tricking a user into clicking a crafted URL, a remote unauthenticated attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
psirt@hcl.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
hcltech verse *
CVE-2022-27544

BigFix Web Reports authorized users may see SMTP credentials in clear text.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
psirt@hcl.com 5.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 1.3 3.6

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2022-27545

BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
psirt@hcl.com 4.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 1.5 2.7

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2022-27546

HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input supplied with a form POST request. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's web browser within the security context of the hosting web site and/or steal the victim's cookie-based authentication credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L 2.8 5.5
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
hcltech hcl_inotes 11.0
hcltech domino 12.0
hcltech hcl_inotes 12.0
hcltech domino 10.0.1
hcltech hcl_inotes 11.0.1
hcltech domino 11.0.1
hcltech hcl_inotes 9.0.1
hcltech hcl_inotes 10.0
hcltech domino 9.0.1
hcltech domino 11.0
hcltech hcl_inotes 10.0.1
hcltech domino 12.0.1
hcltech hcl_inotes 12.0.1
hcltech domino 10.0
hcltech domino 9.0
CVE-2022-27547

HCL iNotes is susceptible to a link to non-existent domain vulnerability. An attacker could use this vulnerability to trick a user into supplying sensitive information such as username, password, credit card number, etc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N 2.8 4.0
psirt@hcl.com 6.1 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N 1.6 4.0

Products Affected

Vendor Product Version
hcltech hcl_inotes 11.0
hcltech domino 12.0
hcltech hcl_inotes 12.0
hcltech domino 10.0.1
hcltech hcl_inotes 11.0.1
hcltech domino 11.0.1
hcltech hcl_inotes 9.0.1
hcltech hcl_inotes 10.0
hcltech domino 9.0.1
hcltech domino 11.0
hcltech hcl_inotes 10.0.1
hcltech domino 12.0.1
hcltech hcl_inotes 12.0.1
hcltech domino 10.0
hcltech domino 9.0
CVE-2022-27558

HCL iNotes is susceptible to a Broken Password Strength Checks vulnerability. Custom password policies are not enforced on certain iNotes forms which could allow users to set weak passwords, leading to easier cracking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
psirt@hcl.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
hcltech domino 12.0.1
hcltech hcl_inotes 12.0.1
CVE-2022-27560

HCL VersionVault Express exposes administrator credentials.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.0 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H 1.2 4.7
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
hcltech versionvault_express 2.1.0
hcltech versionvault_express 2.0.1
CVE-2022-27561

There is a reflected Cross-Site Scripting vulnerability in the HCL Traveler web admin (LotusTraveler.nsf).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7
psirt@hcl.com 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

Products Affected

Vendor Product Version
hcltech traveler *
CVE-2022-27562

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

Products Affected

Vendor Product Version
hcltech domino_leap *
CVE-2022-27563

An unauthenticated user can overload a part of HCL VersionVault Express and cause a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
hcltech versionvault_express 2.1.0
hcltech versionvault_express 2.0.1
CVE-2022-38653

In HCL Digital Experience, customized XSS payload can be constructed such that it is served in the application unencoded.

Products Affected

Vendor Product Version
hcltech digital_experience 9.0
hcltech digital_experience 9.5
hcltech digital_experience 8.5
CVE-2022-38654

HCL Domino is susceptible to an information disclosure vulnerability. In some scenarios, local calls made on the server to search the Domino directory will ignore xACL read restrictions. An authenticated attacker could leverage this vulnerability to access attributes from a user's person record.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
hcltech domino 12.0
hcltech domino 9.0.1
hcltech domino 10.0.1
hcltech domino 11.0.1
hcltech domino 10.0.0
CVE-2022-38655

BigFix WebUI non-master operators are missing controls that prevent them from being able to modify the relevance of fixlets or to deploy fixlets from the BES Support external site.

Products Affected

Vendor Product Version
hcltech bigfix_webui 20
CVE-2022-38657

An open redirect to malicious sites can occur when accessing the "Feedback" action on the manager page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 1.5 6.0
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
hcltech hcl_leap *
CVE-2022-38658

BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data exposed.

Products Affected

Vendor Product Version
hcltech bigfix_server_automation *
CVE-2022-38659

In specific scenarios, on Windows the operator credentials may be encrypted in a manner that is not completely machine-dependent.

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2022-38660

HCL XPages applications are susceptible to a Cross Site Request Forgery (CSRF) vulnerability. An unauthenticated attacker could exploit this vulnerability to perform actions in the application on behalf of the logged in user.  

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
psirt@hcl.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
hcltech domino 9.0.1
hcltech domino *
CVE-2022-38662

 In HCL Digital Experience, URLs can be constructed to redirect users to untrusted sites.

Products Affected

Vendor Product Version
hcltech hcl_digital_experience 9.5
hcltech hcl_digital_experience 9.0
hcltech hcl_digital_experience 8.5
CVE-2022-42446

Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal users.

Products Affected

Vendor Product Version
hcltech sametime 12.0
CVE-2022-42447

HCL Compass is vulnerable to Cross-Origin Resource Sharing (CORS). This vulnerability can allow an unprivileged remote attacker to trick a legitimate user into accessing a special resource and executing a malicious request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
hcltech hcl_compass *
CVE-2022-42449

Unsafe default file type filter policy in HCL Domino Volt allows upload of .html file and execution of unsafe JavaScript in deployed applications

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

Products Affected

Vendor Product Version
hcltech domino_leap *
CVE-2022-42450

Improper sanitization of SVG files in HCL Domino Volt allows client-side script injection in deployed applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

Products Affected

Vendor Product Version
hcltech domino_leap -
CVE-2022-42451

Certain credentials within the BigFix Patch Management Download Plug-ins are stored insecurely and could be exposed to a local privileged user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 4.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N 1.5 2.7
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.8 3.6
psirt@hcl.com 4.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N 1.5 2.7

Products Affected

Vendor Product Version
hcltech bigfix_patch_management *
CVE-2022-42453

There are insufficient warnings when a Fixlet is imported by a user. The warning message currently assumes the owner of the script is the logged in user, with insufficient warnings when attempting to run the script.

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2022-44750

HCL Domino is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted Lotus Ami Pro file. This is different from the vulnerability described in CVE-2022-44754.  This vulnerability applies to software previously licensed by IBM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
psirt@hcl.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
hcltech domino 9.0.1
hcltech domino 9.0
CVE-2022-44751

HCL Notes is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted Lotus Ami Pro file. This is different from the vulnerability described in CVE-2022-44755.  This vulnerability applies to software previously licensed by IBM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
hcltech notes 9.0.1
hcltech notes 10.0.1
CVE-2022-44752

HCL Domino is susceptible to a stack based buffer overflow vulnerability in wp6sr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted WordPerfect file.  This vulnerability applies to software previously licensed by IBM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
psirt@hcl.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
hcltech domino 9.0.1
hcltech domino 9.0
CVE-2022-44753

HCL Notes is susceptible to a stack based buffer overflow vulnerability in wp6sr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted WordPerfect file.  This vulnerability applies to software previously licensed by IBM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
psirt@hcl.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
hcltech notes 9.0.1
hcltech notes 10.0.1
CVE-2022-44754

HCL Domino is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted Lotus Ami Pro file. This is different from the vulnerability described in CVE-2022-44750.  This vulnerability applies to software previously licensed by IBM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
hcltech domino 9.0.1
hcltech domino 9.0
CVE-2022-44755

HCL Notes is susceptible to a stack based buffer overflow vulnerability in lasr.dll in Micro Focus KeyView. This could allow a remote unauthenticated attacker to crash the application or execute arbitrary code via a crafted Lotus Ami Pro file. This is different from the vulnerability described in CVE-2022-44751.  This vulnerability applies to software previously licensed by IBM.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9
psirt@hcl.com 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
hcltech notes 9.0.1
hcltech notes 10.0.1
CVE-2022-44757

BigFix Insights for Vulnerability Remediation (IVR) uses weak cryptography that can lead to credential exposure. An attacker could gain access to sensitive information, modify data in unexpected ways, etc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2

Products Affected

Vendor Product Version
hcltech bigfix_insights_for_vulnerability_remediation *
CVE-2022-44758

BigFix Insights/IVR fixlet uses improper credential handling within certain fixlet content. An attacker can gain access to information that is not explicitly authorized.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
hcltech bigfix_insights_for_vulnerability_remediation *
CVE-2022-44759

Improper sanitization of SVG files in HCL Leap allows client-side script injection in deployed applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

Products Affected

Vendor Product Version
hcltech leap *
hcltech hcl_leap *
CVE-2022-44760

Unsafe default file type filter policy in HCL Leap allows execution of unsafe JavaScript in deployed applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

Products Affected

Vendor Product Version
hcltech leap *
hcltech hcl_leap *
CVE-2023-23342

If certain local files are manipulated in a certain manner, the validation to use the cryptographic keys can be circumvented. 

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 1.8 5.2
psirt@hcl.com 6.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 1.3 5.2

Products Affected

Vendor Product Version
hcltech hcl_nomad *
CVE-2023-23343

A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled domain.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.4 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:L 0.9 1.4

Products Affected

Vendor Product Version
hcltech bigfix_osd_bare_metal_server *
CVE-2023-23344

A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.0 LOW CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 1.5 1.4

Products Affected

Vendor Product Version
hcltech bigfix_webui_insights 14
CVE-2023-23346

HCL DRYiCE MyCloud is affected by the use of a broken cryptographic algorithm. An attacker can potentially compromise the confidentiality and integrity of sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N 1.1 4.7

Products Affected

Vendor Product Version
hcltech dryice_mycloud 10.5
hcltech dryice_mycloud 10.2
hcltech dryice_mycloud 10.4
hcltech dryice_mycloud 10.6
CVE-2023-23347

HCL DRYiCE iAutomate is affected by the use of a broken cryptographic algorithm. An attacker can potentially compromise the confidentiality and integrity of sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.4 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N 1.1 4.7

Products Affected

Vendor Product Version
hcltech dryice_iautomate 6.1
hcltech dryice_iautomate 6.2
hcltech dryice_iautomate 6.0
CVE-2023-28006

The OSD Bare Metal Server uses a cryptographic algorithm that is no longer considered sufficiently secure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.0 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.0 5.9

Products Affected

Vendor Product Version
hcltech bigfix_osd_bare_metal_server *
CVE-2023-28008

HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L 2.8 4.2

Products Affected

Vendor Product Version
hcltech workload_automation 9.4.0
hcltech workload_automation 9.5.0
hcltech workload_automation 10.1.0
CVE-2023-28009

HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
hcltech workload_automation 9.4.0
hcltech workload_automation 9.5.0
hcltech workload_automation 10.1.0
CVE-2023-28010

In some configuration scenarios, the Domino server host name can be exposed. This information could be used to target future attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
psirt@hcl.com 4.0 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
hcltech domino 12.0.2
CVE-2023-28012

HCL BigFix Mobile is vulnerable to a command injection attack. An authenticated attacker could run arbitrary shell commands on the WebUI server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
hcltech bigfix_mobile 3.0
CVE-2023-28013

HCL Verse is susceptible to a Reflected Cross Site Scripting (XSS) vulnerability. By tricking a user into entering crafted markup a remote, unauthenticated attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L 0.8 5.3

Products Affected

Vendor Product Version
hcltech verse *
CVE-2023-28014

HCL BigFix Mobile is vulnerable to a cross-site scripting attack. An authenticated attacker could inject malicious scripts into the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.6 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:L 0.8 5.3

Products Affected

Vendor Product Version
hcltech bigfix_mobile 3.0
CVE-2023-28016

Host Header Injection vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to supply invalid input to cause the OSD Bare Metal Server to perform a redirect to an attacker-controlled domain.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L 1.6 1.4

Products Affected

Vendor Product Version
hcltech bigfix_osd_bare_metal_server *
CVE-2023-28017

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user after visiting the vulnerable URL which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials and comprise a user's account then launch other attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
psirt@hcl.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
hcltech connections 6.5
hcltech connections 8.0
hcltech connections 7.0
hcltech connections 6.0
CVE-2023-28018

HCL Connections is vulnerable to a denial of service, caused by improper validation on certain requests. Using a specially-crafted request an attacker could exploit this vulnerability to cause denial of service for affected users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 2.1 3.4

Products Affected

Vendor Product Version
hcltech connections 6.5
hcltech connections 8.0
hcltech connections 7.0
CVE-2023-28019

Insufficient validation in Bigfix WebUI API App site version < 14 allows an authenticated WebUI user to issue SQL queries via an unparameterized SQL query.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 2.1 3.4

Products Affected

Vendor Product Version
hcltech bigfix_webui *
CVE-2023-28020

 URL redirection in Login page in HCL BigFix WebUI allows malicious user to redirect the client browser to an external site via redirect URL response header.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
hcltech bigfix_webui -
CVE-2023-28021

The BigFix WebUI uses weak cipher suites.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
hcltech bigfix_webui -
CVE-2023-28022

HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
hcltech connections 6.5
hcltech connections 8.0
hcltech connections 7.0
hcltech connections 6.0
CVE-2023-28023

A cross site request forgery vulnerability in the BigFix WebUI Software Distribution interface site version 44 and before allows an NMO attacker to access files on server side systems (server machine and all the ones in its network). 

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N 1.8 2.7

Products Affected

Vendor Product Version
hcltech bigfix_webui *
CVE-2023-28025

Due to this vulnerability, the Master operator could potentially incorporate an SVG tag into HTML, leading to an alert pop-up displaying a cookie. To mitigate stored XSS vulnerabilities, a preventive measure involves thoroughly sanitizing and validating all user inputs before they are processed and stored in the server storage.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L 2.3 3.7
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
hcltech bigfix_modern_client_management *
CVE-2023-37495

Internet passwords stored in Person documents in the Domino® Directory created using the "Add Person" action on the People & Groups tab in the Domino® Administrator are secured using a cryptographically weak hash algorithm. This could enable attackers with access to the hashed value to determine a user's password, e.g. using a brute force attack. This issue does not impact Person documents created through user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html .

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
hcltech domino *
CVE-2023-37496

HCL Verse is susceptible to a Stored Cross Site Scripting (XSS) vulnerability. An attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L 2.8 5.5

Products Affected

Vendor Product Version
hcltech verse *
CVE-2023-37497

The Unica application exposes an API which accepts arbitrary XML input. By manipulating the given XML, an authenticated attacker with certain rights can successfully perform XML External Entity attacks (XXE) against the backend service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
hcltech unica *
CVE-2023-37498

A user is capable of assigning him/herself to arbitrary groups by reusing a POST request issued by an administrator.  It is possible that an attacker could potentially escalate their privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
hcltech unica *
CVE-2023-37499

A Persistent Cross-site Scripting (XSS) vulnerability can be carried out in a certain field of the Unica Platform.  An attacker could hijack a user's session and perform other attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
hcltech unica *
CVE-2023-37500

A Persistent Cross-site Scripting (XSS) vulnerability can be carried out on certain pages of Unica Platform.  An attacker could hijack a user's session and perform other attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
hcltech unica *
CVE-2023-37501

A Persistent XSS vulnerability can be carried out in a certain field of Unica Campaign.  An attacker could hijack a user's session and perform other attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
hcltech unica *
CVE-2023-37502

HCL Compass is vulnerable to lack of file upload security.  An attacker could upload files containing active code that can be executed by the server or by a user's web browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 9.0 CRITICAL CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 2.3 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
hcltech hcl_compass *
hcltech hcl_compass 2.1.0
CVE-2023-37503

HCL Compass is vulnerable to insecure password requirements. An attacker could easily guess the password and gain access to user accounts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
hcltech hcl_compass *
hcltech hcl_compass 2.1.0
CVE-2023-37504

HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called.  If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N 2.8 4.2
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N 3.9 2.5

Products Affected

Vendor Product Version
hcltech hcl_compass *
hcltech hcl_compass 2.1.0
CVE-2023-37511

If certain App Transport Security (ATS) settings are set in a certain manner, insecure loading of web content can be achieved.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
hcltech traveler_to_do *
CVE-2023-37512

When the app is put to the background and the user goes to the task switcher of iOS, the app snapshot is not blurred which may reveal sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
hcltech traveler_companion *
CVE-2023-37513

When the app is put to the background and the user goes to the task switcher of iOS, the app snapshot is not blurred which may reveal sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
hcltech traveler_to_do *
CVE-2023-37516

Missing "no cache" headers in HCL Leap permits user directory information to be cached.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N 1.5 1.4

Products Affected

Vendor Product Version
hcltech leap *
hcltech hcl_leap *
CVE-2023-37517

Missing "no cache" headers in HCL Leap permits sensitive data to be cached.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N 1.5 1.4

Products Affected

Vendor Product Version
hcltech domino_leap *
CVE-2023-37518

HCL BigFix ServiceNow is vulnerable to arbitrary code injection. A malicious authorized attacker could inject arbitrary code and execute within the context of the running user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N 3.1 2.7
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
hcltech bigfix_servicenow_data_flow *
CVE-2023-37519

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. This XSS vulnerability is in the Download Status Report, which is served by the BigFix Server. 

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
psirt@hcl.com 7.7 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.0 6.0

Products Affected

Vendor Product Version
hcltech bigfix_platform 11.0.0
hcltech bigfix_platform *
CVE-2023-37520

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9.5.12.68, allowing for potential data exfiltration. This XSS vulnerability is in the Gather Status Report, which is served by the BigFix Relay.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
psirt@hcl.com 7.7 HIGH CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H 1.0 6.0

Products Affected

Vendor Product Version
hcltech bigfix_platform 11.0.0
hcltech bigfix_platform *
CVE-2023-37525

A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
hcltech bigfix_compliance 2.0.9
CVE-2023-37527

A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code in the application session or in database, via remote injection, while rendering content in a web page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
hcltech bigfix_platform 11.0.0
hcltech bigfix_platform *
CVE-2023-37528

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save Report.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N 1.3 4.7

Products Affected

Vendor Product Version
hcltech bigfix_platform 11.0.0
hcltech bigfix_platform *
CVE-2023-37529

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information. This is not the same vulnerability as identified in CVE-2023-37530.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.0 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N 1.3 1.4

Products Affected

Vendor Product Version
hcltech bigfix_platform 11.0.0
hcltech bigfix_platform *
CVE-2023-37530

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.0 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N 1.3 1.4

Products Affected

Vendor Product Version
hcltech bigfix_platform 11.0.0
hcltech bigfix_platform *
CVE-2023-37531

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a form field of a webpage by a user with privileged access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.3 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N 0.7 2.5

Products Affected

Vendor Product Version
hcltech bigfix_platform 11.0.0
hcltech bigfix_platform *
CVE-2023-37532

HCL Commerce Remote Store server could allow a remote attacker, using a specially-crafted URL, to read arbitrary files on the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
hcltech commerce *
CVE-2023-37533

HCL Connections is vulnerable to reflected cross-site scripting (XSS) where an attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user after visiting the vulnerable URL which contains the malicious script code. This may allow the attacker to steal cookie-based authentication credentials and comprise a user's account then launch other attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
psirt@hcl.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
hcltech connections 8.0
CVE-2023-37534

Insufficient URI protocol whitelist in HCL Leap allows script injection through query parameters.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N 2.8 4.2

Products Affected

Vendor Product Version
hcltech leap *
hcltech hcl_leap *
CVE-2023-37535

Insufficient URI protocol whitelist in HCL Domino Volt and Domino Leap allow script injection through query parameters.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N 2.8 4.2

Products Affected

Vendor Product Version
hcltech domino_leap *
CVE-2023-37536

An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
psirt@hcl.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:H 2.3 5.3

Products Affected

Vendor Product Version
apache xerces-c++ 3.2.3
fedoraproject fedora 37
hcltech bigfix_platform *
CVE-2023-37537

An unquoted service path vulnerability in HCL AppScan Presence, deployed as a Windows service in HCL AppScan on Cloud (ASoC), may allow a local attacker to gain elevated privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
hcltech appscan_presence *
CVE-2023-37538

HCL Digital Experience is susceptible to cross site scripting (XSS). One subcomponent is vulnerable to reflected XSS. In reflected XSS, an attacker must induce a victim to click on a crafted URL from some delivery mechanism (email, other web site).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
psirt@hcl.com 9.3 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N 2.8 5.8

Products Affected

Vendor Product Version
hcltech digital_experience 9.0
hcltech digital_experience 9.5
hcltech digital_experience 8.5
CVE-2023-37539

The Domino Catalog template is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. An attacker with the ability to edit documents in the catalog application/database created from this template can embed a cross site scripting attack. The attack would be activated by an end user clicking it.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.4 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H 1.7 6.0

Products Affected

Vendor Product Version
hcltech domino 12.0
hcltech domino 11.0
hcltech domino 14.0
CVE-2023-37540

Sametime Connect desktop chat client includes, but does not use or require, the use of an Eclipse feature called Secure Storage. Using this Eclipse feature to store sensitive data can lead to exposure of that data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.9 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 1.3 2.5

Products Affected

Vendor Product Version
hcltech sametime *
CVE-2023-37541

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N 2.1 1.4

Products Affected

Vendor Product Version
hcltech connections 8.0
hcltech connections 7.0
CVE-2023-45696

Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.0 MEDIUM CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N 0.4 3.6

Products Affected

Vendor Product Version
hcltech sametime *
CVE-2023-45698

Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.8 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
hcltech sametime_chat_and_meetings 11.6
hcltech sametime_chat_and_meetings 11.5
hcltech sametime_chat_and_meetings 12.0.1
hcltech sametime_chat_and_meetings 12.0
CVE-2023-45705

An administrative user of WebReports may perform a Server Side Request Forgery (SSRF) exploit through SMTP configuration options.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N 0.9 2.5

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2023-45706

An administrative user of WebReports may perform a Cross Site Scripting (XSS) and/or Man in the Middle (MITM) exploit through SAML configuration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.0 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N 0.5 1.4

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2023-45715

The console may experience a service interruption when processing file names with invalid characters.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L 2.1 1.4

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2023-45716

Sametime is impacted by sensitive information passed in URL.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 1.7 LOW CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 0.3 1.4

Products Affected

Vendor Product Version
hcltech sametime *
CVE-2023-45718

Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session.  

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.9 LOW CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N 0.3 3.6

Products Affected

Vendor Product Version
hcltech sametime *
CVE-2023-45720

Insufficient default configuration in HCL Leap allows anonymous access to directory information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
hcltech leap *
hcltech hcl_leap *
CVE-2023-45721

Insufficient default configuration in HCL Leap allows anonymous access to directory information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
hcltech domino_leap *
CVE-2023-45722

HCL DRYiCE MyXalytics is impacted by path traversal arbitrary file read vulnerability because it uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory.  The product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Potential exploits can completely disrupt or take over the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
psirt@hcl.com 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-45723

HCL DRYiCE MyXalytics is impacted by path traversal vulnerability which allows file upload capability.  Certain endpoints permit users to manipulate the path (including the file name) where these files are stored on the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
psirt@hcl.com 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 2.8 4.7

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-45724

HCL DRYiCE MyXalytics product is impacted by unauthenticated file upload vulnerability. The web application permits the upload of a certain file without requiring user authentication.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
psirt@hcl.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-50341

HCL DRYiCE MyXalytics is impacted by Improper Access Control (Obsolete web pages) vulnerability. Discovery of outdated and accessible web pages, reflects a "Missing Access Control" vulnerability, which could lead to inadvertent exposure of sensitive information and/or exposing a vulnerable endpoint.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
psirt@hcl.com 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 2.8 4.7

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-50342

HCL DRYiCE MyXalytics is impacted by an Insecure Direct Object Reference (IDOR) vulnerability.  A user can obtain certain details about another user as a result of improper access control.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
psirt@hcl.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N 2.8 4.2

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-50343

HCL DRYiCE MyXalytics is impacted by an Improper Access Control (Controller APIs) vulnerability. Certain API endpoints are accessible to Customer Admin Users that can allow access to sensitive information about other users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 2.8 5.5
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-50344

HCL DRYiCE MyXalytics is impacted by improper access control (Unauthenticated File Download) vulnerability. An unauthenticated user can download certain files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-50345

HCL DRYiCE MyXalytics is impacted by an Open Redirect vulnerability which could allow an attacker to redirect users to malicious sites, potentially leading to phishing attacks or other security threats.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-50346

HCL DRYiCE MyXalytics is impacted by an information disclosure vulnerability. Certain endpoints within the application disclose detailed file information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
psirt@hcl.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.6 1.4

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-50347

HCL DRYiCE MyXalytics is impacted by an insecure SQL interface vulnerability, potentially giving an attacker the ability to execute custom SQL queries. A malicious user can run arbitrary SQL commands including changing system configuration.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.2
hcltech dryice_myxalytics 6.0
CVE-2023-50348

HCL DRYiCE MyXalytics is impacted by an improper error handling vulnerability. The application returns detailed error messages that can provide an attacker with insight into the application, system, etc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
psirt@hcl.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.6 1.4

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-50349

Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.9 MEDIUM CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 0.7 5.2

Products Affected

Vendor Product Version
hcltech sametime *
CVE-2023-50350

HCL DRYiCE MyXalytics is impacted by the use of a broken cryptographic algorithm for encryption, potentially giving an attacker ability to decrypt sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-50351

HCL DRYiCE MyXalytics is impacted by the use of an insecure key rotation mechanism which can allow an attacker to compromise the confidentiality or integrity of data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2
psirt@hcl.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 5.9
hcltech dryice_myxalytics 6.1
hcltech dryice_myxalytics 6.0
CVE-2023-50355

HCL Sametime is impacted by the error messages containing sensitive information. An attacker can use this information to launch another, more focused attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.6 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
hcltech sametime *
hcltech sametime 12.0.2
CVE-2024-23553

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.0 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N 1.3 1.4
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
hcltech bigfix_platform 11.0.0
hcltech bigfix_platform *
CVE-2024-23554

Cross-Site Request Forgery (CSRF) on Session Token vulnerability that could potentially lead to Remote Code Execution (RCE).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.7 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N 0.5 5.2

Products Affected

Vendor Product Version
hcltech bigfix_platform *
hcltech bigfix_platform 11.0.1
CVE-2024-23556

SSL/TLS Renegotiation functionality potentially leading to DoS attack vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2024-23557

HCL Connections contains a user enumeration vulnerability. Certain actions could allow an attacker to determine if the user is valid or not, leading to a possible brute force attack.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
hcltech connections 8.0
hcltech connections 7.0
CVE-2024-23562

A security vulnerability in HCL Domino could allow disclosure of sensitive configuration information. A remote unauthenticated attacker could exploit this vulnerability to obtain information to launch further attacks against the affected system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
hcltech domino 12.0
hcltech domino 11.0
hcltech domino 14.0
CVE-2024-23563

HCL Connections Docs is vulnerable to a sensitive information disclosure which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.9 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 1.3 2.5

Products Affected

Vendor Product Version
hcltech connections_docs 2.0.2
CVE-2024-23583

An attacker could potentially intercept credentials via the task manager and perform unauthorized access to the Client Deploy Tool on Windows systems.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
hcltech bigfix_platform *
hcltech bigfix_platform 11.0.1
CVE-2024-23588

HCL Nomad server on Domino fails to properly handle users configured with limited Domino access resulting in a possible denial of service vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H 1.6 3.6

Products Affected

Vendor Product Version
hcltech nomad_server_on_domino *
CVE-2024-30106

HCL Connections is vulnerable to an information disclosure vulnerability, due to an IBM WebSphere Application Server error, which could allow a user to obtain sensitive information they are not entitled to due to the improper handling of request data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
hcltech connections 8.0
hcltech connections 7.0
CVE-2024-30107

HCL Connections contains a broken access control vulnerability that may expose sensitive information to unauthorized users in certain scenarios.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
hcltech connections 8.0
hcltech connections 7.0
CVE-2024-30109

HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
hcltech dryice_aex 10.0
CVE-2024-30110

HCL DRYiCE AEX product is impacted by lack of input validation vulnerability in a particular web application. A malicious script can be injected into a system which can cause the system to behave in unexpected ways.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
hcltech dryice_aex 10.0
CVE-2024-30111

HCL DRYiCE AEX product is impacted by Missing Root Detection vulnerability in the mobile application. The mobile app can be installed in the rooted device due to which malicious users can gain unauthorized access to the rooted devices, compromising security and potentially leading to data breaches or other malicious activities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
hcltech dryice_aex 10.0
CVE-2024-30112

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
hcltech connections 8.0
hcltech connections 7.0
CVE-2024-30113

Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N 2.1 4.2

Products Affected

Vendor Product Version
hcltech leap *
hcltech hcl_leap *
CVE-2024-30114

Insufficient sanitization in HCL Leap allows client-side script injection in the authoring environment.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N 1.2 2.5

Products Affected

Vendor Product Version
hcltech leap *
hcltech hcl_leap *
CVE-2024-30115

Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N 2.1 4.2

Products Affected

Vendor Product Version
hcltech domino_leap *
CVE-2024-30122

HCL Sametime is impacted by misconfigured security related HTTP headers. It was identified that some HTTP headers were missing on web service responses. This will lead to less secure browser default treatment for the policies controlled by these headers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L 1.6 3.7

Products Affected

Vendor Product Version
hcltech sametime *
hcltech sametime 12.0.2
CVE-2024-30124

HCL Sametime is impacted by insecure services in-use on the UIM client by default. An unused legacy REST service was enabled by default using the HTTP protocol. An attacker could potentially use this service endpoint maliciously.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.5 1.4

Products Affected

Vendor Product Version
hcltech sametime *
hcltech sametime 12.0.2
CVE-2024-30125

HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.2 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L 1.4 4.7

Products Affected

Vendor Product Version
hcltech bigfix_compliance *
CVE-2024-30126

HCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N 1.6 2.7

Products Affected

Vendor Product Version
hcltech bigfix_compliance *
CVE-2024-30127

Missing "no cache" headers in HCL Leap permits sensitive data to be cached.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.2 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N 1.5 1.4

Products Affected

Vendor Product Version
hcltech leap *
hcltech hcl_leap *
CVE-2024-30128

HCL Nomad server on Domino is affected by an open proxy vulnerability in which an unauthenticated attacker can mask their original source IP address. This may enable an attacker to trick the user into exposing sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H 3.9 4.0

Products Affected

Vendor Product Version
hcltech nomad_server_on_domino *
CVE-2024-30130

HCL Nomad server on Domino is vulnerable to the cache containing sensitive information which could potentially give an attacker the ability to acquire the sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
hcltech nomad_server_on_domino *
CVE-2024-30132

HCL Nomad server on Domino did not configure certain HTTP Security headers by default which could allow an attacker to obtain sensitive information via unspecified vectors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
hcltech nomad_server_on_domino *
CVE-2024-30133

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability. The application does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 1.8 3.4

Products Affected

Vendor Product Version
hcltech traveler_for_microsoft_outlook *
CVE-2024-30134

The HCL Traveler for Microsoft Outlook executable (HTMO.exe) is being flagged as potentially Malicious Software or an Unrecognized Application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
hcltech traveler_for_microsoft_outlook *
CVE-2024-30135

HCL DRYiCE AEX is potentially impacted by disclosure of sensitive information in the mobile application when a snapshot is taken.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
hcltech dryice_aex 10.0
CVE-2024-30140

HCL BigFix Compliance is affected by unvalidated redirects and forwards. The HOST header can be manipulated by an attacker and as a result, it can poison the web cache and provide back to users being served the page.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L 2.3 2.7

Products Affected

Vendor Product Version
hcltech bigfix_compliance 2.0.11
CVE-2024-30141

HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information. Detailed error messages can provide enticement information or expose information about its environment, users, or associated data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
hcltech bigfix_compliance 2.0.11
CVE-2024-30142

HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.8 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L 2.0 1.4

Products Affected

Vendor Product Version
hcltech bigfix_compliance 2.0.11
CVE-2024-30145

Multiple vectors in HCL Domino Volt and Domino Leap allow client-side script injection in the authoring environment and deployed applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
hcltech domino_leap *
CVE-2024-30146

Improper access control of endpoint in HCL Domino Leap allows certain admin users to import applications from the server's filesystem.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.1 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L 0.7 3.4

Products Affected

Vendor Product Version
hcltech domino_leap *
CVE-2024-30147

Multiple vectors in HCL Leap allow client-side script injection in the authoring environment and deployed applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
hcltech leap *
hcltech hcl_leap *
CVE-2024-30148

Improper access control of endpoint in HCL Leap allows certain admin users to import applications from the server's filesystem.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.1 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L 0.7 3.4

Products Affected

Vendor Product Version
hcltech leap *
hcltech hcl_leap *
CVE-2024-30149

HCL AppScan Source <= 10.6.0 does not properly validate a TLS/SSL certificate for an executable.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N 2.2 2.5

Products Affected

Vendor Product Version
hcltech appscan_source *
CVE-2024-30150

HCL MyCloud is affected by Improper Access Control - an unauthenticated privilege escalation vulnerability which may lead to information disclosure and potential for Server-Side Request Forgery (SSRF) and Denial of Service(DOS) attacks from unauthenticated users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
hcltech dryice_mycloud 10.8.1
CVE-2024-30152

HCL SX v21 is affected by usage of a weak cryptographic algorithm. An attacker could exploit this weakness to gain access to sensitive information, modify data, or other impacts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
hcltech hcl_sx 21
CVE-2024-30154

HCL SX is vulnerable to cross-site request forgery vulnerability which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N 1.6 3.6

Products Affected

Vendor Product Version
hcltech hcl_sx 21
CVE-2024-30155

HCL SX does not set the secure attribute on authorization tokens or session cookies. Attackers may potentially be able to obtain access to the cookie values via a Cross-Site-Forgery-Request (CSRF).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
hcltech hcl_sx 21
CVE-2024-42168

HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability. An attacker can deploy a web server that returns malicious content, and then induce the application to retrieve and process that content.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.9 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L 2.2 6.0

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42169

HCL MyXalytics is affected by insecure direct object references. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N 2.8 4.2

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42170

HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N 1.6 5.2

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42171

HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N 1.2 5.2

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42172

HCL MyXalytics is affected by broken authentication. It allows attackers to compromise keys, passwords, and session tokens, potentially leading to identity theft and system control. This vulnerability arises from poor configuration, logic errors, or software bugs and can affect any application with access control, including databases, network infrastructure, and web applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42173

HCL MyXalytics is affected by an improper password policy implementation vulnerability. Weak passwords and lack of account lockout policies allow attackers to guess or brute-force passwords if the username is known.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42174

HCL MyXalytics is affected by username enumeration vulnerability. This allows a malicious user to perform enumeration of application users, and therefore compile a list of valid usernames.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42175

HCL MyXalytics is affected by a weak input validation vulnerability. The application accepts special characters and there is no length validation. This can lead to security vulnerabilities like SQL injection, XSS, and buffer overflow.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N 1.2 1.4

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42176

HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user's account or sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 1.2 1.4
nvd@nist.gov 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
hcltech dryice_myxalytics 6.4
CVE-2024-42177

HCL MyXalytics is affected by SSL∕TLS Protocol affected with BREACH & LUCKY13 vulnerabilities. Attackers can exploit the weakness in the ciphers to intercept and decrypt encrypted data, steal sensitive information, or inject malicious code into the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 1.2 1.4
nvd@nist.gov 6.4 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N 1.2 5.2

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42178

HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.5 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N 1.0 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42179

HCL MyXalytics is affected by sensitive information disclosure vulnerability. The HTTP response header exposes the Microsoft-HTTP API∕2.0 as the server's name & version.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.0 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N 0.5 1.4

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42180

HCL MyXalytics is affected by a malicious file upload vulnerability. The application accepts invalid file uploads, including incorrect content types, double extensions, null bytes, and special characters, allowing attackers to upload and execute malicious files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 1.6 LOW CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N 0.1 1.4

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42181

HCL MyXalytics is affected by a cleartext transmission of sensitive information vulnerability. The application transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 1.6 LOW CVSS:3.1/AV:P/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N 0.2 1.4

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.3
CVE-2024-42188

HCL Connections is vulnerable to a broken access control vulnerability that may allow an unauthorized user to update data in certain scenarios.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N 1.2 2.5

Products Affected

Vendor Product Version
hcltech connections 8.0
hcltech connections 7.0
CVE-2024-42189

HCL BigFix Web Reports might be subject to a Denial of Service (DoS) attack, due to a potentially weak validation of an API parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2024-42190

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a DLL hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 0.6 5.9

Products Affected

Vendor Product Version
hcltech traveler_for_microsoft_outlook *
CVE-2024-42191

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a COM hijacking vulnerability which could allow an attacker to modify or replace the application with malicious content.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H 0.6 5.9

Products Affected

Vendor Product Version
hcltech traveler_for_microsoft_outlook *
CVE-2024-42192

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a credential leakage which could allow an attacker to access other computers or applications.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
hcltech traveler_for_microsoft_outlook *
CVE-2024-42193

HCL BigFix Web Reports' service communicates over HTTPS but exhibits a weakness in its handling of SSL certificate validation. This scenario presents a possibility of man-in-the-middle (MITM) attacks and data exposure as, if exploited, this vulnerability could potentially lead to unauthorized access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 2.2 5.9

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2024-42200

HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
hcltech bigfix_platform *
CVE-2024-42207

HCL iAutomate is affected by a session fixation vulnerability.  An attacker could hijack a victim's session ID from their authenticated session.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L 0.7 4.7

Products Affected

Vendor Product Version
hcltech dryice_iautomate 6.4.2
CVE-2024-42208

HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
hcltech connections 8.0
hcltech connections 7.0
CVE-2024-42209

HCL Connections is vulnerable to an information disclosure vulnerability that could allow a user to obtain sensitive information they are not entitled to, which is caused by improper handling of request data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
hcltech connections 8.0
hcltech connections 7.0
CVE-2024-42210

A Stored cross-site scripting (XSS) vulnerability affects HCL Unica Marketing Operations v12.1.8 and lower.  Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.6 HIGH CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 1.0 6.0

Products Affected

Vendor Product Version
hcltech unica *
CVE-2024-42212

HCL BigFix Compliance is affected by an improper or missing SameSite attribute. This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user's browser into making unintended requests using authenticated sessions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
hcltech bigfix_compliance 2.0.12
CVE-2024-42213

HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment. An attacker might gain access to these files by indexing or retrieved via predictable URLs or misconfigured permissions, leading to information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
hcltech bigfix_compliance 2.0.12
CVE-2025-0249

HCL IEM is affected by an improper invalidation of access or JWT token vulnerability.  A token was not invalidated which may allow attackers to access sensitive data without authorization.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.3 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N 0.7 2.5
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

Products Affected

Vendor Product Version
hcltech intelliops_event_management 1.2
CVE-2025-0250

HCL IEM is affected by an authorization token sent in cookie vulnerability.  A token used for authentication and authorization is being handled in a manner that may increase its exposure to security risks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6
psirt@hcl.com 2.2 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N 0.7 1.4

Products Affected

Vendor Product Version
hcltech intelliops_event_management 1.2
CVE-2025-0251

HCL IEM is affected by a concurrent login vulnerability.  The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 2.1 3.6
psirt@hcl.com 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 1.2 1.4

Products Affected

Vendor Product Version
hcltech intelliops_event_management 1.2
CVE-2025-0252

HCL IEM is affected by a password in cleartext vulnerability.  Sensitive information is transmitted without adequate protection, potentially exposing it to unauthorized access during transit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N 1.2 3.6
psirt@hcl.com 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 1.2 1.4

Products Affected

Vendor Product Version
hcltech intelliops_event_management 1.2
CVE-2025-0253

HCL IEM is affected by a cookie attribute not set vulnerability due to inconsistency of certain security-related configurations which could increase exposure to potential vulnerabilities.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.4 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N 0.9 1.4
psirt@hcl.com 2.0 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N 0.5 1.4

Products Affected

Vendor Product Version
hcltech intelliops_event_management 1.2
CVE-2025-0274

HCL BigFix Modern Client Management (MCM) 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
hcltech bigfix_modern_client_management *
hcltech bigfix_mobile *
CVE-2025-0275

HCL BigFix Mobile 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
hcltech bigfix_modern_client_management *
hcltech bigfix_mobile *
CVE-2025-0276

HCL BigFix Modern Client Management (MCM) 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 3.9 2.5

Products Affected

Vendor Product Version
hcltech bigfix_modern_client_management *
hcltech bigfix_mobile *
CVE-2025-0277

HCL BigFix Mobile 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 3.9 2.5

Products Affected

Vendor Product Version
hcltech bigfix_modern_client_management *
hcltech bigfix_mobile *
CVE-2025-0278

HCL Traveler is affected by an internal path disclosure in a Windows application when the application inadvertently reveals internal file paths, in error messages, debug logs, or responses to user requests.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
hcltech traveler *
CVE-2025-0279

HCL Traveler generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this information to gain insights into the system's architecture and potentially launch targeted attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
hcltech traveler *
CVE-2025-31952

HCL iAutomate is affected by an insufficient session expiration. This allows tokens to remain valid indefinitely unless manually revoked, increasing the risk of unauthorized access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L 2.8 4.2

Products Affected

Vendor Product Version
hcltech dryice_iautomate 6.5.1
CVE-2025-31953

HCL iAutomate includes hardcoded credentials which may result in potential exposure of confidential data if intercepted or accessed by unauthorized parties.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
psirt@hcl.com 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N 2.8 4.2

Products Affected

Vendor Product Version
hcltech dryice_iautomate 6.5.1
CVE-2025-31954

HCL iAutomate v6.5.1 and v6.5.2 is susceptible to a sensitive information disclosure. An HTTP GET method is used to process a request and includes sensitive information in the query string of that request. An attacker could potentially access information or resources they were not intended to see.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
hcltech dryice_iautomate 6.5.2
hcltech dryice_iautomate 6.5.1
CVE-2025-31955

HCL iAutomate is affected by a sensitive data exposure vulnerability. This issue may allow unauthorized access to sensitive information within the system.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L 2.8 4.7
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
hcltech dryice_iautomate 6.5.1
CVE-2025-31961

HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N 1.2 2.5

Products Affected

Vendor Product Version
hcltech connections 8.0
CVE-2025-31962

Insufficient session expiration in the Web UI authentication component in HCL BigFix IVR version 4.2 allows an authenticated attacker to gain prolonged unauthorized access to protected API endpoints due to excessive expiration periods.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.0 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N 0.5 1.4

Products Affected

Vendor Product Version
hcltech bigfix_insights_for_vulnerability_remediation 4.2
CVE-2025-31964

Improper service binding configuration in internal service components in HCL BigFix IVR version 4.2 allows a privileged attacker to impact service availability via exposure of administrative services bound to external network interfaces instead of the local authentication interface.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.2 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L 0.7 1.4

Products Affected

Vendor Product Version
hcltech bigfix_insights_for_vulnerability_remediation 4.2
CVE-2025-31966

HCL Sametime is vulnerable to broken server-side validation. While the application performs client-side input checks, these are not enforced by the web server. An attacker can bypass these restrictions by sending manipulated HTTP requests directly to the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N 1.2 1.4

Products Affected

Vendor Product Version
hcltech sametime *
CVE-2025-31969

HCL Unica Platform is impacted by misconfigured Content Security Policy (CSP). These can result in malicious resources getting loaded and browsers may come across certain types of attacks, such as cross-site scripting and clickjacking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.0 MEDIUM CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L 1.0 2.7
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
hcltech unica *
CVE-2025-31972

HCL BigFix SM is affected by a Sensitive Information Exposure vulnerability where internal connections do not use TLS encryption which could allow an attacker unauthorized access to sensitive data transmitted between internal components.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
hcltech bigfix_service_management 23.0
CVE-2025-31977

HCL BigFix SM is affected by cryptographic weakness due to weak or outdated encryption algorithms.  An attacker with network access could exploit this weakness to decrypt or manipulate encrypted communications under certain conditions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

Products Affected

Vendor Product Version
hcltech bigfix_service_management 23.0
CVE-2025-31987

HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.8 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H 1.2 3.6

Products Affected

Vendor Product Version
hcltech connections_docs 2.0.2
CVE-2025-31988

HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N 1.2 3.6
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7

Products Affected

Vendor Product Version
hcltech digital_experience 9.0
hcltech digital_experience 9.5
hcltech digital_experience 8.5
CVE-2025-31993

HCL Unica Centralized Offer Management is vulnerable to a potential Server-Side Request Forgery (SSRF). An attacker can exploit improper input validation by submitting maliciously crafted input to a target application running on a server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:L 0.9 2.5

Products Affected

Vendor Product Version
hcltech unica_centralized_offer_management *
CVE-2025-31996

HCL Unica Platform is affected by unprotected files due to improper access controls.  These files may contain sensitive information such as private or system information that can be exploited by attackers to compromise the application, infrastructure, or users.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N 1.6 3.6

Products Affected

Vendor Product Version
hcltech unica *
CVE-2025-31997

HCL Unica Centralized Offer Management is vulnerable to Insecure Direct Object References (IDOR). An attacker can bypass authorization and access resources in the system directly, for example database records or files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.2 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N 0.5 3.6

Products Affected

Vendor Product Version
hcltech unica_centralized_offer_management *
CVE-2025-31998

HCL Unica Centralized Offer Management is vulnerable to poor unhandled exceptions which exposes sensitive information. An attacker can exploit use this information to exploit known vulnerabilities launch targeted attacks, such as remote code execution or denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
hcltech unica_centralized_offer_management *
CVE-2025-51733

Cross-Site Request Forgery (CSRF) vulnerability in HCL Technologies Ltd. Unica 12.0.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 2.1 3.4

Products Affected

Vendor Product Version
hcltech unica 12.0.0
CVE-2025-51734

Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Unica 12.0.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
hcltech unica 12.0.0
CVE-2025-51735

CSV formula injection vulnerability in HCL Technologies Ltd. Unica 12.0.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
hcltech unica 12.0.0
CVE-2025-51736

File upload vulnerability in HCL Technologies Ltd. Unica 12.0.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
hcltech unica 12.0.0
CVE-2025-52603

HCL Connections is vulnerable to information disclosure. In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
hcltech connections 8.0
hcltech connections 7.0
CVE-2025-52614

HCL Unica Platform is affected by a Cookie without HTTPOnly Flag Set vulnerability. A malicious agent may be able to induce this event by feeding a user suitable links, either directly or via another web site.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
hcltech unica *
CVE-2025-52615

HCL Unica Platform is impacted by misconfigured security related HTTP headers. This can lead to less secure browser default treatment for the policies controlled by these headers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
hcltech unica *
CVE-2025-52616

HCL Unica 12.1.10 can expose sensitive system information. An attacker could use this information to form an attack plan by leveraging known vulnerabilities in the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
hcltech unica 12.1.10
CVE-2025-52618

HCL BigFix SaaS Authentication Service is affected by a SQL injection vulnerability. The vulnerability allows potential attackers to manipulate SQL queries.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
hcltech bigfix_saas *
CVE-2025-52619

HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure. Under certain conditions, error messages disclose sensitive version information about the underlying platform.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
hcltech bigfix_saas *
CVE-2025-52620

HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. The image upload functionality inadequately validated the submitted image format.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
hcltech bigfix_saas *
CVE-2025-52621

HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning.  The BigFix SaaS's HTTP responses were observed to include the Origin header. Its presence alongside an unvalidated reflection of the Origin header value introduces a potential for cache poisoning.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
hcltech bigfix_saas *
CVE-2025-52623

HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. This issue affects AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L 1.2 2.5

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52624

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
psirt@hcl.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.8 2.5

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52625

A vulnerability  Cacheable SSL Page Found vulnerability has been identified in HCL AION.  Cached data may expose credentials, system identifiers, or internal file paths to attackers with access to the device or browser This issue affects AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52626

A Potential Command Injection vulnerability in HCL AION.  An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system.This issue affects AION: 2.0

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.5 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L 1.0 3.4

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52627

Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes.This issue affects AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.5 MEDIUM CVSS:3.1/AV:P/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N 0.3 5.2

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52628

HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L 2.1 2.5

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52629

HCL AION is susceptible to Missing Content-Security-Policy.  An The absence of a CSP header may increase the risk of cross-site scripting and other content injection attacks by allowing unsafe scripts or resources to execute..This issue affects AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L 1.2 2.5

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52630

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52631

HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks.. This issue affects AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L 1.2 2.5

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52632

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N 2.2 4.2

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52633

HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. This issue affects AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:L 0.5 2.5

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52634

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52635

A rusted types in scripts not enforced in CSP vulnerability has been identified in HCL AION.This issue affects AION: 2.0.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N 2.2 1.4
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52636

HCL AION is affected by a vulnerability related to the handling of upload size limits. Improper control or validation of upload sizes may allow excessive resource consumption, which could potentially lead to service degradation or denial-of-service conditions under certain scenarios.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 1.8 LOW CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 0.3 1.4

Products Affected

Vendor Product Version
hcltech aion *
CVE-2025-52639

HCL Connections is vulnerable to a sensitive information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper rendering of application data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
hcltech connections 8.0
CVE-2025-52642

HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour. Exposure of internal paths may reveal environment structure details which could potentially aid in further targeted attacks or information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.3 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N 0.8 2.5

Products Affected

Vendor Product Version
hcltech aion *
CVE-2025-52643

HCL AION is affected by a vulnerability where untrusted file parsing operations are not executed within a properly isolated sandbox environment. This may expose the application to potential security risks, including unintended behaviour or integrity impact when processing specially crafted files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L 0.6 3.7

Products Affected

Vendor Product Version
hcltech aion *
CVE-2025-52644

HCL AION is affected by a vulnerability where certain user actions are not adequately audited or logged. The absence of proper auditing mechanisms may reduce traceability of user activities and could potentially impact monitoring, accountability, or incident investigation processes.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.8 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L 1.0 4.7

Products Affected

Vendor Product Version
hcltech aion *
CVE-2025-52645

HCL AION is affected by a vulnerability where model packaging and distribution mechanisms may not include sufficient authenticity verification. This may allow the possibility of unverified or modified model artifacts being used, potentially leading to integrity concerns or unintended behaviour.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 1.9 LOW CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N 0.5 1.4

Products Affected

Vendor Product Version
hcltech aion *
CVE-2025-52646

HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactions or limited information exposure under specific conditions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.2 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 0.8 1.4

Products Affected

Vendor Product Version
hcltech aion *
CVE-2025-52649

HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature. Predictable identifiers may allow an attacker to infer or guess system-generated values, potentially leading to limited information disclosure or unintended access under specific conditions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
psirt@hcl.com 1.8 LOW CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N 0.3 1.4

Products Affected

Vendor Product Version
hcltech aion *
CVE-2025-52650

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7
psirt@hcl.com 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N 2.8 4.7

Products Affected

Vendor Product Version
hcltech aion 2.0
CVE-2025-52653

HCL MyXalytics product is affected by Cross Site Scripting vulnerability in the web application. This can allow the execution of unauthorized scripts, potentially resulting in unauthorized actions or access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
psirt@hcl.com 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:H 2.1 5.5

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.6
CVE-2025-52654

HCL MyXalytics v6.6 is affected by an HTML Injection. This issue occurs when untrusted input is included in the output without proper handling, potentially allowing unauthorized content injection and manipulation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.6 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N 2.1 2.5

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.6
CVE-2025-52656

HCL MyXalytics: 6.6.  is affected by Mass Assignment vulnerability. Mass Assignment occurs when user input is automatically bound to application objects without proper validation or access controls, potentially allowing unauthorized modification of sensitive fields.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L 2.8 4.7

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.6
CVE-2025-52658

HCL MyXalytics is affected by the use of vulnerable/outdated versions which can expose the application to known security risks that could be exploited.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N 1.7 2.7
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N 0.9 2.5

Products Affected

Vendor Product Version
hcltech dryice_myxalytics 6.6
CVE-2025-52659

HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.8 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L 1.3 1.4

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52660

HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-52661

HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.4 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N 0.9 1.4

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-55249

HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application’s overall security posture and increase its susceptibility to common web-based attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L 2.1 1.4

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-55250

HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 1.8 LOW CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L 0.3 1.4

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-55251

HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.1 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L 0.6 2.5

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-55252

HCL AION  version 2 is affected by a Weak Password Policy vulnerability. This can  allow the use of easily guessable passwords, potentially resulting in unauthorized access

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N 0.5 2.5

Products Affected

Vendor Product Version
hcltech aion 2.0.0
hcltech aion 2.0
CVE-2025-55261

HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H 2.8 5.2
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55262

HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H 2.8 5.5
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55263

HCL Aftermarket DPC is affected by Hardcoded Sensitive Data which allows attacker to gain access to the source code or if it is stored in insecure repositories, they can easily retrieve these hardcoded secrets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H 2.1 5.2
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55264

HCL Aftermarket DPC is affected by Failure to Invalidate Session on Password Change will allow attacker to access to a session, then they can maintain control over the account despite the password change leading to account takeover.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 2.1 3.4

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55265

HCL Aftermarket DPC is affected by File Discovery which allows attacker could exploit this issue to read sensitive files present in the system and may use it to craft further attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55266

HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user's session and use it carry out unauthorized transaction behalf of the user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L 1.6 4.2
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N 2.8 3.6

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55267

HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability, allows attacker to upload and execute malicious scripts, gaining full control over the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
psirt@hcl.com 5.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N 2.1 3.6

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55268

HCL Aftermarket DPC is affected by Spamming Vulnerability which can allow the actor to excessive spamming can consume server bandwidth and processing resources which may lead to Denial of Service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
psirt@hcl.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55269

HCL Aftermarket DPC is affected by Weak Password Policy vulnerability, which makes it easier for attackers to guess weak passwords or use brute-force techniques to gain unauthorized access to user accounts.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.2 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L 1.6 2.5
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55270

HCL Aftermarket DPC is affected by Improper Input Validation which allows an attacker to inject executable code and can carry out attacks such as XSS, SQL Injection, Command Injection etc.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55271

HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on how the web application handles the split response, an attacker may be able to execute arbitrary commands or inject harmful content into the response..

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
psirt@hcl.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 1.6 1.4

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55272

HCL Aftermarket DPC is affected by Banner Disclosure vulnerability where attackers gain insights into the system’s software and version details which would allow them to craft software specific attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N 1.6 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55273

HCL Aftermarket DPC is affected by Cross Domain Script Include vulnerability where an attacker using external scripts can tamper with the DOM, altering the content or behavior of the application. Malicious scripts can steal cookies or session tokens, leading to session hijacking.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4
psirt@hcl.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55274

HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they could steal sensitive data, perform actions on behalf of a legitimate user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 1.2 1.4
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55275

HCL Aftermarket DPC is affected by Admin Session Concurrency vulnerability using which an attacker can exploit concurrent sessions to hijack or impersonate an admin user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2
psirt@hcl.com 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L 1.2 2.5

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55276

HCL Aftermarket DPC is affected by Internal IP Disclosure vulnerability will give attackers a clearer map of the organization’s network layout.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
psirt@hcl.com 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L 1.6 1.4

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-55277

HCL Aftermarket DPC is affected by Use of Vulnerable/Outdated Versions vulnerability using which an attacker may make use of the exploits available across the internet and craft attacks against the application.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 3.9 2.5
psirt@hcl.com 2.6 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N 1.2 1.4

Products Affected

Vendor Product Version
hcltech aftermarket_cloud 1.0.0
CVE-2025-59870

HCL MyXalytics  is affected by improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
hcltech myxalytics 6.3
hcltech myxalytics 6.2
hcltech myxalytics 6.5
hcltech myxalytics 6.4
hcltech myxalytics 6.7
hcltech myxalytics 6.6
CVE-2025-62326

HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N 0.9 5.2

Products Affected

Vendor Product Version
hcltech digital_experience 9.5
CVE-2025-63401

Cross Site Scripting vulnerability in HCL Technologies Limited HCLTech DRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via missing directives

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L 0.7 4.7

Products Affected

Vendor Product Version
hcltech dragon *
CVE-2025-63402

An issue in HCL Technologies Limited HCLTech GRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via APIs do not enforcing limits on the number or size of requests

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.5 MEDIUM CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L 0.7 4.7

Products Affected

Vendor Product Version
hcltech dragon *
CVE-2026-21783

HCL Traveler is affected by sensitive information disclosure.  The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces.  Attackers could exploit this information to gain insights into the system's architecture and potentially launch targeted attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
hcltech traveler *
CVE-2026-21786

HCL Sametime for iOS is impacted by a sensitive information disclosure. Hostnames information is written in application logs and certain URLs.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
hcltech sametime *
CVE-2026-21788

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code.  This may allow the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@hcl.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
hcltech connections 8.0