Hcltech Security Vulnerabilities (CVEs)

HCL Connections has an information disclosure vulnerability where, in specific user navigation scenarios, limited internal metadata can be exposed in ...

HCL AION 2.0 has a vulnerability where password fields don't disable autocomplete, potentially allowing browsers to store or autofill credentials. Thi...

HCL AION versions 2.0 have a SameSite cookie vulnerability that allows cookies to be sent in cross-site requests. This increases exposure to cross-sit...

HCL AION 2.0 lacks proper HTTP Strict-Transport-Security headers, allowing attackers to force insecure HTTP connections or downgrade HTTPS to HTTP. Th...

HCL AION stores sensitive session information in persistent cookies that survive browser sessions, potentially allowing attackers to hijack user sessi...

This vulnerability in HCL BigFix Compliance allows remote attackers to access sensitive files in the WEB-INF directory, potentially exposing Java clas...

HCL AION version 2 contains a technical error disclosure vulnerability that can expose sensitive system details through error messages. This affects o...

HCL AION version 2 has a weak password policy vulnerability that allows users to set easily guessable passwords. This could enable attackers to gain u...

HCL AION web applications are vulnerable due to missing standard security HTTP response headers. This allows attackers to more easily conduct common w...

HCL AION has an unrestricted file upload vulnerability that allows attackers to upload malicious files to the server. This could lead to remote code e...

HCL AION version 2 has a cacheable HTTP response vulnerability where sensitive or dynamic content may be stored in caches. This could allow unauthoriz...

HCL AION has an unrestricted file upload vulnerability that allows attackers to upload malicious files. This could lead to remote code execution or sy...

HCL AION version 2 has JWT tokens that remain valid for an excessively long time, allowing attackers who obtain these tokens to potentially maintain u...

HCL MyXalytics uses a static JWT signing secret that never rotates, allowing attackers who obtain the secret to forge authentication tokens. This affe...

This vulnerability allows authenticated attackers to maintain unauthorized access to protected API endpoints in HCL BigFix IVR due to insufficient ses...

This vulnerability allows a local attacker to make unauthorized configuration changes to HCL BigFix IVR without authentication. It affects systems run...

This vulnerability in HCL BigFix IVR 4.2 allows privileged attackers to disrupt service availability by exploiting administrative services bound to ex...

A Cross-Site Scripting (XSS) vulnerability in HCLTech DRAGON allows remote attackers to inject malicious scripts into web pages viewed by other users....

This vulnerability in HCLTech GRAGON allows remote attackers to execute arbitrary code by exploiting APIs that lack proper request size or number limi...

A Cross-Site Request Forgery (CSRF) vulnerability in HCL Unica 12.0.0 allows attackers to trick authenticated users into performing unintended actions...

A cross-site scripting (XSS) vulnerability in HCL Unica 12.0.0 allows attackers to inject malicious scripts into web pages viewed by other users. This...

This CSV formula injection vulnerability in HCL Unica 12.0.0 allows attackers to execute arbitrary formulas when CSV files are opened in spreadsheet a...

This CVE describes a file upload vulnerability in HCL Unica 12.0.0 that allows attackers to upload malicious files to the server. The vulnerability af...

HCL Connections has an information disclosure vulnerability where improper rendering of application data allows authenticated users to access sensitiv...

HCL Traveler for Microsoft Outlook (HTMO) has a credential leakage vulnerability that could allow attackers to access other computers or applications ...

HCL BigFix Mobile 3.3 and earlier have an insecure Content Security Policy (CSP) that doesn't properly restrict script sources. This allows attackers ...

HCL BigFix Modern Client Management (MCM) versions 3.3 and earlier have an insecure Content Security Policy (CSP) that doesn't properly restrict scrip...

HCL BigFix Mobile versions 3.3 and earlier have an improper access control vulnerability that allows unauthorized users to access a limited set of end...

CVE-2025-0274 is an improper access control vulnerability in HCL BigFix Modern Client Management (MCM) that allows unauthorized users to access a limi...

HCL Unica Platform has improper access controls that leave files unprotected, potentially exposing sensitive system or private information. Attackers ...

HCL Unica Platform has a misconfigured Content Security Policy (CSP) that could allow attackers to load malicious resources in users' browsers. This c...

HCL Unica 12.1.10 exposes sensitive system information that could help attackers plan targeted attacks. This affects organizations using HCL Unica 12....

HCL Unica Centralized Offer Management has an Insecure Direct Object Reference (IDOR) vulnerability that allows attackers to bypass authorization and ...

This vulnerability allows attackers to bypass script allowlist configurations in HCL AION due to an incorrectly configured Content-Security-Policy hea...

This vulnerability allows inline script execution despite Content Security Policy (CSP) restrictions in HCL AION v2.0. Attackers can bypass CSP protec...

A missing Secure attribute in SSL cookies in HCL AION allows attackers to intercept session cookies over unencrypted HTTP connections. This affects HC...

HCL MyXalytics v6.6 has an HTML injection vulnerability where untrusted input isn't properly sanitized before being included in web output. This allow...

CVE-2025-52656 is a mass assignment vulnerability in HCL MyXalytics 6.6 that allows attackers to modify sensitive application fields without proper au...

HCL BigFix SM has a cryptographic weakness due to weak or outdated encryption algorithms, allowing attackers with network access to potentially decryp...

HCL BigFix SaaS Authentication Service contains a SQL injection vulnerability that allows attackers to manipulate SQL queries. This affects organizati...

HCL BigFix SaaS Authentication Service discloses sensitive version information through error messages under certain conditions. This information discl...

HCL BigFix SaaS Authentication Service contains a Cross-Site Scripting vulnerability in its image upload functionality. Attackers can upload malicious...

HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning due to improper validation of the Origin HTTP header. This could allow attacke...

CVE-2025-31987 is a resource exhaustion vulnerability in HCL Connections Docs where improper validation of uploaded documents can lead to denial of se...

HCL iAutomate has insufficient session expiration, allowing authentication tokens to remain valid indefinitely unless manually revoked. This affects a...

HCL iAutomate has a sensitive data exposure vulnerability that allows unauthorized access to confidential information stored within the system. This a...

HCL Traveler for Microsoft Outlook (HTMO) has a COM hijacking vulnerability that allows attackers to replace legitimate application components with ma...

HCL BigFix Compliance leaves temporary files in production environments that attackers can access through predictable URLs or misconfigured permission...

This vulnerability allows attackers to inject malicious scripts through query parameters in HCL Domino Volt and Domino Leap applications due to insuff...

This vulnerability in HCL Leap allows attackers to inject malicious scripts into web applications through the HTML widget. The insufficient sanitizati...