Vulnerabilities (CVE)

Filtered by vendor Hcltech Subscribe
Total 154 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2020-4095 1 Hcltech 1 Bigfix Platform 2024-02-04 2.1 LOW 6.0 MEDIUM
"BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment. The principle of least privilege should be applied to all BigFix deployments, limiting administrative access."
CVE-2019-4090 1 Hcltech 1 Marketing Campaign 2024-02-04 3.5 LOW 5.4 MEDIUM
"HCL Campaign is vulnerable to cross-site scripting when a user provides XSS scripts in Campaign Description field."
CVE-2019-4324 1 Hcltech 1 Appscan 2024-02-04 4.3 MEDIUM 6.1 MEDIUM
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
CVE-2019-4091 1 Hcltech 1 Marketing Campaign 2024-02-04 3.5 LOW 5.4 MEDIUM
"HCL Marketing Platform is vulnerable to cross-site scripting during addition of new users and also while searching for users in Dashboard, potentially giving an attacker ability to inject malicious code into the system. "
CVE-2019-4391 1 Hcltech 1 Appscan 2024-02-04 6.4 MEDIUM 8.2 HIGH
HCL AppScan Standard is vulnerable to XML External Entity Injection (XXE) attack when processing XML data
CVE-2019-4388 1 Hcltech 1 Appscan Source 2024-02-04 3.5 LOW 4.8 MEDIUM
HCL AppScan Source 9.0.3.13 and earlier is susceptible to cross-site scripting (XSS) attacks by allowing users to embed arbitrary JavaScript code in the Web UI.
CVE-2019-16188 1 Hcltech 1 Appscan Source 2024-02-04 5.8 MEDIUM 7.1 HIGH
HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks.
CVE-2020-4082 1 Hcltech 1 Connections 2024-02-04 3.5 LOW 5.4 MEDIUM
The HCL Connections 5.5 help system is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVE-2020-4083 1 Hcltech 1 Connections 2024-02-04 2.1 LOW 5.5 MEDIUM
HCL Connections 6.5 is vulnerable to possible information leakage. Connections could disclose sensitive information via trace logs to a local user.
CVE-2019-4392 1 Hcltech 1 Appscan 2024-02-04 10.0 HIGH 9.8 CRITICAL
HCL AppScan Standard Edition 9.0.3.13 and earlier uses hard-coded credentials which can be exploited by attackers to get unauthorized access to the system.
CVE-2019-4301 1 Hcltech 1 Self-service Application 2024-02-04 6.0 MEDIUM 8.4 HIGH
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.
CVE-2019-4409 1 Hcltech 1 Traveler 2024-02-04 3.5 LOW 5.4 MEDIUM
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entered file name. If the file name is not escaped in the returned error page, it could expose a cross-site scripting (XSS) vulnerability.
CVE-2020-4084 1 Hcltech 1 Connections 2024-02-04 3.5 LOW 5.4 MEDIUM
HCL Connections v5.5, v6.0, and v6.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2018-11518 1 Hcltech 2 Legacy Ivr, Legacy Ivr Firmware 2024-02-04 6.8 MEDIUM 8.1 HIGH
A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them for service activations. This is a request-forgery issue when the required series of DTMF signals for a service activation is predictable (e.g., the IVR system does not speak a nonce to the caller). In this case, the IVR system accepts an activation request from a less-secure channel (any loudspeaker in the caller's physical environment) without verifying that the request was intended (it matches a nonce sent over a more-secure channel to the caller's earpiece).