Filtered by vendor Hcltech
Subscriptions
Total
178 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-37502 | 1 Hcltech | 1 Hcl Compass | 2024-09-13 | 9 Critical |
| HCL Compass is vulnerable to lack of file upload security. An attacker could upload files containing active code that can be executed by the server or by a user's web browser. | ||||
| CVE-2023-37504 | 1 Hcltech | 1 Hcl Compass | 2024-09-12 | 7.1 High |
| HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called. If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user. | ||||
| CVE-2023-37503 | 1 Hcltech | 1 Hcl Compass | 2024-09-12 | 8.1 High |
| HCL Compass is vulnerable to insecure password requirements. An attacker could easily guess the password and gain access to user accounts. | ||||
| CVE-2023-50342 | 1 Hcltech | 1 Dryice Myxalytics | 2024-09-06 | 7.1 High |
| HCL DRYiCE MyXalytics is impacted by an Insecure Direct Object Reference (IDOR) vulnerability. A user can obtain certain details about another user as a result of improper access control. | ||||
| CVE-2023-45696 | 1 Hcltech | 1 Sametime | 2024-09-05 | 4 Medium |
| Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser. | ||||
| CVE-2023-45718 | 1 Hcltech | 1 Sametime | 2024-09-05 | 3.9 Low |
| Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session. | ||||
| CVE-2023-37533 | 1 Hcltech | 1 Connections | 2024-09-03 | 5.4 Medium |
| HCL Connections is vulnerable to reflected cross-site scripting (XSS) where an attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user after visiting the vulnerable URL which contains the malicious script code. This may allow the attacker to steal cookie-based authentication credentials and comprise a user's account then launch other attacks. | ||||
| CVE-2023-45716 | 1 Hcltech | 1 Sametime | 2024-08-22 | 1.7 Low |
| Sametime is impacted by sensitive information passed in URL. | ||||
| CVE-2017-1712 | 1 Hcltech | 1 Domino | 2024-08-05 | 5.9 Medium |
| "A vulnerability in the TLS protocol implementation of the Domino server could allow an unauthenticated, remote attacker to access sensitive information, aka a Return of Bleichenbacher's Oracle Threat (ROBOT) attack. An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions." | ||||
| CVE-2018-11518 | 1 Hcltech | 2 Legacy Ivr, Legacy Ivr Firmware | 2024-08-05 | N/A |
| A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them for service activations. This is a request-forgery issue when the required series of DTMF signals for a service activation is predictable (e.g., the IVR system does not speak a nonce to the caller). In this case, the IVR system accepts an activation request from a less-secure channel (any loudspeaker in the caller's physical environment) without verifying that the request was intended (it matches a nonce sent over a more-secure channel to the caller's earpiece). | ||||
| CVE-2019-16188 | 1 Hcltech | 1 Appscan Source | 2024-08-05 | 7.1 High |
| HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks. | ||||
| CVE-2019-4391 | 1 Hcltech | 1 Appscan | 2024-08-04 | 8.2 High |
| HCL AppScan Standard is vulnerable to XML External Entity Injection (XXE) attack when processing XML data | ||||
| CVE-2019-4326 | 1 Hcltech | 1 Appscan | 2024-08-04 | 7.5 High |
| "HCL AppScan Enterprise security rules update administration section of the web application console is missing HTTP Strict-Transport-Security Header." | ||||
| CVE-2019-4324 | 1 Hcltech | 1 Appscan | 2024-08-04 | 6.1 Medium |
| "HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy." | ||||
| CVE-2019-4301 | 1 Hcltech | 1 Self-service Application | 2024-08-04 | 8.4 High |
| BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML. | ||||
| CVE-2019-4409 | 1 Hcltech | 1 Traveler | 2024-08-04 | 5.4 Medium |
| HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entered file name. If the file name is not escaped in the returned error page, it could expose a cross-site scripting (XSS) vulnerability. | ||||
| CVE-2019-4393 | 1 Hcltech | 1 Appscan | 2024-08-04 | 9.8 Critical |
| HCL AppScan Standard is vulnerable to excessive authorization attempts | ||||
| CVE-2019-4388 | 1 Hcltech | 1 Appscan Source | 2024-08-04 | 4.8 Medium |
| HCL AppScan Source 9.0.3.13 and earlier is susceptible to cross-site scripting (XSS) attacks by allowing users to embed arbitrary JavaScript code in the Web UI. | ||||
| CVE-2019-4327 | 1 Hcltech | 1 Appscan | 2024-08-04 | 7.5 High |
| "HCL AppScan Enterprise uses hard-coded credentials which can be exploited by attackers to get unauthorized access to application's encrypted files." | ||||
| CVE-2019-4323 | 1 Hcltech | 1 Appscan | 2024-08-04 | 4.3 Medium |
| "HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame." | ||||