Filtered by vendor Hcltech
Subscribe
Search
Total
32 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-50350 | 1 Hcltech | 1 Dryice Myxalytics | 2024-01-09 | N/A | 7.5 HIGH |
| HCL DRYiCE MyXalytics is impacted by the use of a broken cryptographic algorithm for encryption, potentially giving an attacker ability to decrypt sensitive information. | |||||
| CVE-2023-50341 | 1 Hcltech | 1 Dryice Myxalytics | 2024-01-09 | N/A | 7.5 HIGH |
| HCL DRYiCE MyXalytics is impacted by Improper Access Control (Obsolete web pages) vulnerability. Discovery of outdated and accessible web pages, reflects a "Missing Access Control" vulnerability, which could lead to inadvertent exposure of sensitive information and/or exposing a vulnerable endpoint. | |||||
| CVE-2023-37536 | 3 Apache, Fedoraproject, Hcltech | 3 Xerces-c\+\+, Fedora, Bigfix Platform | 2023-12-31 | N/A | 8.8 HIGH |
| An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request. | |||||
| CVE-2023-23342 | 1 Hcltech | 1 Hcl Nomad | 2023-08-17 | N/A | 7.1 HIGH |
| If certain local files are manipulated in a certain manner, the validation to use the cryptographic keys can be circumvented. | |||||
| CVE-2023-23347 | 1 Hcltech | 1 Dryice Iautomate | 2023-08-16 | N/A | 7.1 HIGH |
| HCL DRYiCE iAutomate is affected by the use of a broken cryptographic algorithm. An attacker can potentially compromise the confidentiality and integrity of sensitive information. | |||||
| CVE-2023-23346 | 1 Hcltech | 1 Dryice Mycloud | 2023-08-15 | N/A | 7.1 HIGH |
| HCL DRYiCE MyCloud is affected by the use of a broken cryptographic algorithm. An attacker can potentially compromise the confidentiality and integrity of sensitive information. | |||||
| CVE-2023-37497 | 1 Hcltech | 1 Unica | 2023-08-08 | N/A | 8.8 HIGH |
| The Unica application exposes an API which accepts arbitrary XML input. By manipulating the given XML, an authenticated attacker with certain rights can successfully perform XML External Entity attacks (XXE) against the backend service. | |||||
| CVE-2023-37498 | 1 Hcltech | 1 Unica | 2023-08-08 | N/A | 8.8 HIGH |
| A user is capable of assigning him/herself to arbitrary groups by reusing a POST request issued by an administrator. It is possible that an attacker could potentially escalate their privileges. | |||||
| CVE-2022-38658 | 2 Hcltech, Microsoft | 2 Bigfix Server Automation, Windows | 2023-08-08 | N/A | 7.5 HIGH |
| BigFix deployments that have installed the Notification Service on Windows are susceptible to disclosing SMTP BigFix operator's sensitive data in clear text. Operators who use Notification Service related content from BES Support are at risk of leaving their SMTP sensitive data exposed. | |||||
| CVE-2023-28021 | 1 Hcltech | 1 Bigfix Webui | 2023-07-27 | N/A | 7.5 HIGH |
| The BigFix WebUI uses weak cipher suites. | |||||
| CVE-2023-28019 | 1 Hcltech | 1 Bigfix Webui | 2023-07-27 | N/A | 8.8 HIGH |
| Insufficient validation in Bigfix WebUI API App site version < 14 allows an authenticated WebUI user to issue SQL queries via an unparameterized SQL query. | |||||
| CVE-2020-4107 | 1 Hcltech | 1 Domino | 2022-06-02 | 4.6 MEDIUM | 7.8 HIGH |
| HCL Domino is affected by an Insufficient Access Control vulnerability. An authenticated attacker with local access to the system could exploit this vulnerability to attain escalation of privileges, denial of service, or information disclosure. | |||||
| CVE-2021-27777 | 1 Hcltech | 1 Unica | 2022-05-25 | 5.0 MEDIUM | 7.5 HIGH |
| XML External Entity (XXE) injection vulnerabilities occur when poorly configured XML parsers process user supplied input without sufficient validation. Attackers can exploit this vulnerability to manipulate XML content and inject malicious external entity references. | |||||
| CVE-2021-27771 | 1 Hcltech | 1 Sametime | 2022-05-24 | 6.5 MEDIUM | 7.6 HIGH |
| User SID can be modified resulting in an Arbitrary File Upload or deletion of directories causing a Denial of Service. When interacting in a normal matter with the Sametime chat application, users hold a cookie containing their session ID (SID). This value is also used when sending chat messages, receiving notifications and/or transferring files. | |||||
| CVE-2021-27770 | 1 Hcltech | 1 Sametime | 2022-05-24 | 6.8 MEDIUM | 8.8 HIGH |
| The vulnerability was discovered within the “FaviconService”. The service takes a base64-encoded URL which is then requested by the webserver. We assume this service is used by the “meetings”-function where users can specify an external URL where the online meeting will take place. | |||||
| CVE-2021-27761 | 1 Hcltech | 1 Bigfix Platform | 2022-05-18 | 5.0 MEDIUM | 7.5 HIGH |
| Weak web transport security (Weak TLS): An attacker may be able to decrypt the data using attacks | |||||
| CVE-2021-27767 | 1 Hcltech | 1 Bigfix Platform | 2022-05-16 | 4.6 MEDIUM | 7.8 HIGH |
| The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed. | |||||
| CVE-2021-27766 | 1 Hcltech | 1 Bigfix Platform | 2022-05-16 | 4.6 MEDIUM | 7.8 HIGH |
| The BigFix Client installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed. | |||||
| CVE-2021-27765 | 1 Hcltech | 1 Bigfix Platform | 2022-05-16 | 4.6 MEDIUM | 7.8 HIGH |
| The BigFix Server API installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed. | |||||
| CVE-2020-14273 | 1 Hcltech | 1 Domino | 2021-11-02 | 5.0 MEDIUM | 7.5 HIGH |
| HCL Domino is susceptible to a Denial of Service (DoS) vulnerability due to insufficient validation of input to its public API. An unauthenticated attacker could could exploit this vulnerability to crash the Domino server. | |||||
| CVE-2020-14254 | 1 Hcltech | 1 Bigfix Platform | 2021-07-21 | 4.3 MEDIUM | 7.5 HIGH |
| TLS-RSA cipher suites are not disabled in HCL BigFix Inventory up to v10.0.2. If TLS 2.0 and secure ciphers are not enabled then an attacker can passively record traffic and later decrypt it. | |||||
| CVE-2020-14255 | 1 Hcltech | 1 Digital Experience | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| HCL Digital Experience 9.5 containers include vulnerabilities that could expose sensitive data to unauthorized parties via crafted requests. These affect containers only. These do not affect traditional on-premise installations. | |||||
| CVE-2020-14232 | 1 Hcltech | 1 Notes | 2020-12-21 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability in the input parameter handling of HCL Notes v9 could potentially be exploited by an authenticated attacker resulting in a stack buffer overflow. This could allow the attacker to crash the program or inject code into the system which would execute with the privileges of the currently logged in user. | |||||
| CVE-2020-14230 | 1 Hcltech | 1 Domino | 2020-12-01 | 5.0 MEDIUM | 7.5 HIGH |
| HCL Domino is susceptible to a Denial of Service vulnerability caused by improper validation of user-supplied input. A remote unauthenticated attacker could exploit this vulnerability using a specially-crafted email message to hang the server. Versions previous to releases 9.0.1 FP10 IF6, 10.0.1 FP5 and 11.0.1 are affected. | |||||
| CVE-2020-14234 | 1 Hcltech | 1 Domino | 2020-12-01 | 5.0 MEDIUM | 7.5 HIGH |
| HCL Domino is susceptible to a Denial of Service vulnerability due to improper validation of user-supplied input, potentially giving an attacker the ability to crash the server. Versions previous to release 9.0.1 FP10 IF6 and release 10.0.1 are affected. | |||||
| CVE-2020-14258 | 1 Hcltech | 1 Notes | 2020-12-01 | 5.0 MEDIUM | 7.5 HIGH |
| HCL Notes is susceptible to a Denial of Service vulnerability caused by improper validation of user-supplied input. A remote unauthenticated attacker could exploit this vulnerability using a specially-crafted email message to hang the client. Versions 9, 10 and 11 are affected. | |||||
| CVE-2019-4326 | 1 Hcltech | 1 Appscan | 2020-10-19 | 5.0 MEDIUM | 7.5 HIGH |
| "HCL AppScan Enterprise security rules update administration section of the web application console is missing HTTP Strict-Transport-Security Header." | |||||
| CVE-2019-4301 | 1 Hcltech | 1 Self-service Application | 2020-08-24 | 6.0 MEDIUM | 8.4 HIGH |
| BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML. | |||||
| CVE-2019-4327 | 1 Hcltech | 1 Appscan | 2020-04-29 | 5.0 MEDIUM | 7.5 HIGH |
| "HCL AppScan Enterprise uses hard-coded credentials which can be exploited by attackers to get unauthorized access to application's encrypted files." | |||||
| CVE-2019-4391 | 1 Hcltech | 1 Appscan | 2020-04-08 | 6.4 MEDIUM | 8.2 HIGH |
| HCL AppScan Standard is vulnerable to XML External Entity Injection (XXE) attack when processing XML data | |||||
| CVE-2019-16188 | 1 Hcltech | 1 Appscan Source | 2019-09-26 | 5.8 MEDIUM | 7.1 HIGH |
| HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks. | |||||
| CVE-2018-11518 | 1 Hcltech | 2 Legacy Ivr, Legacy Ivr Firmware | 2018-07-20 | 6.8 MEDIUM | 8.1 HIGH |
| A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them for service activations. This is a request-forgery issue when the required series of DTMF signals for a service activation is predictable (e.g., the IVR system does not speak a nonce to the caller). In this case, the IVR system accepts an activation request from a less-secure channel (any loudspeaker in the caller's physical environment) without verifying that the request was intended (it matches a nonce sent over a more-secure channel to the caller's earpiece). | |||||