Hcltech
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Hcltech product.
RSS Feeds for Hcltech security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Hcltech products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Hcltech Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2025 there have been 17 vulnerabilities in Hcltech with an average score of 7.1 out of ten. Last year, in 2024 Hcltech had 42 security vulnerabilities published. Right now, Hcltech is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.49.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 17 | 7.09 |
| 2024 | 42 | 6.60 |
| 2023 | 46 | 6.69 |
| 2022 | 53 | 6.88 |
| 2021 | 5 | 5.26 |
| 2020 | 37 | 6.97 |
| 2019 | 3 | 5.77 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Hcltech vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Hcltech Security Vulnerabilities
HCL BigFix Compliance is affected by an improper or missing SameSite attribute
CVE-2024-42212
- May 05, 2025
HCL BigFix Compliance is affected by an improper or missing SameSite attribute. This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user's browser into making unintended requests using authenticated sessions.
HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment
CVE-2024-42213
- May 05, 2025
HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment. An attacker might gain access to these files by indexing or retrieved via predictable URLs or misconfigured permissions, leading to information disclosure.
HCL MyXalytics is affected by a failure to restrict URL access vulnerability
CVE-2024-42178
7.5 - High
- April 17, 2025
HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution.
Missing Authentication for Critical Function
HCL MyXalytics is affected by SSL/TLS Protocol affected with BREACH & LUCKY13 vulnerabilities
CVE-2024-42177
6.4 - Medium
- April 17, 2025
HCL MyXalytics is affected by SSL/TLS Protocol affected with BREACH & LUCKY13 vulnerabilities. Attackers can exploit the weakness in the ciphers to intercept and decrypt encrypted data, steal sensitive information, or inject malicious code into the system.
Inadequate Encryption Strength
HCL MyXalytics is affected by concurrent login vulnerability
CVE-2024-42176
8 - High
- March 19, 2025
HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user's account or sensitive information.
HCL SX is vulnerable to cross-site request forgery vulnerability which could allow an attacker to execute malicious and unauthorized actions transmitted from a user
CVE-2024-30154
5.7 - Medium
- March 03, 2025
HCL SX is vulnerable to cross-site request forgery vulnerability which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
HCL MyXalytics is affected by sensitive information disclosure vulnerability
CVE-2024-42179
2.7 - Low
- January 12, 2025
HCL MyXalytics is affected by sensitive information disclosure vulnerability. The HTTP response header exposes the Microsoft-HTTP API/2.0 as the server's name & version.
HCL MyXalytics is affected by a malicious file upload vulnerability
CVE-2024-42180
9.8 - Critical
- January 12, 2025
HCL MyXalytics is affected by a malicious file upload vulnerability. The application accepts invalid file uploads, including incorrect content types, double extensions, null bytes, and special characters, allowing attackers to upload and execute malicious files.
Unrestricted File Upload
HCL MyXalytics is affected by a cleartext transmission of sensitive information vulnerability
CVE-2024-42181
7.5 - High
- January 12, 2025
HCL MyXalytics is affected by a cleartext transmission of sensitive information vulnerability. The application transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Cleartext Transmission of Sensitive Information
HCL MyXalytics is affected by a weak input validation vulnerability
CVE-2024-42175
9.8 - Critical
- January 11, 2025
HCL MyXalytics is affected by a weak input validation vulnerability. The application accepts special characters and there is no length validation. This can lead to security vulnerabilities like SQL injection, XSS, and buffer overflow.
HCL MyXalytics is affected by a session fixation vulnerability
CVE-2024-42170
6.8 - Medium
- January 11, 2025
HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session.
Session Fixation
HCL MyXalytics is affected by a session fixation vulnerability
CVE-2024-42171
6.4 - Medium
- January 11, 2025
HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session.
Session Fixation
HCL MyXalytics is affected by broken authentication
CVE-2024-42172
9.8 - Critical
- January 11, 2025
HCL MyXalytics is affected by broken authentication. It allows attackers to compromise keys, passwords, and session tokens, potentially leading to identity theft and system control. This vulnerability arises from poor configuration, logic errors, or software bugs and can affect any application with access control, including databases, network infrastructure, and web applications.
Insufficiently Protected Credentials
HCL MyXalytics is affected by an improper password policy implementation vulnerability
CVE-2024-42173
4.8 - Medium
- January 11, 2025
HCL MyXalytics is affected by an improper password policy implementation vulnerability. Weak passwords and lack of account lockout policies allow attackers to guess or brute-force passwords if the username is known.
Weak Password Requirements
HCL MyXalytics is affected by username enumeration vulnerability
CVE-2024-42174
3.7 - Low
- January 11, 2025
HCL MyXalytics is affected by username enumeration vulnerability. This allows a malicious user to perform enumeration of application users, and therefore compile a list of valid usernames.
Side Channel Attack
HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability
CVE-2024-42168
9.4 - Critical
- January 11, 2025
HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability. An attacker can deploy a web server that returns malicious content, and then induce the application to retrieve and process that content.
SSRF
HCL MyXalytics is affected by insecure direct object references
CVE-2024-42169
8.1 - High
- January 11, 2025
HCL MyXalytics is affected by insecure direct object references. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.
Insecure Direct Object Reference / IDOR
HCL BigFix Compliance Unvalidated Redirect
CVE-2024-30140
- November 07, 2024
HCL BigFix Compliance is affected by unvalidated redirects and forwards. The HOST header can be manipulated by an attacker and as a result, it can poison the web cache and provide back to users being served the page.
HCL BigFix Compliance Sensitive Error Disclosure
CVE-2024-30141
- November 07, 2024
HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information. Detailed error messages can provide enticement information or expose information about its environment, users, or associated data.
HCL BigFix Compliance Cookie Secure Flag Missing
CVE-2024-30142
- November 07, 2024
HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel.
HCL Connections is vulnerable to an information disclosure vulnerability, due to an IBM WebSphere Application Server error, which could
CVE-2024-30106
4.3 - Medium
- October 28, 2024
HCL Connections is vulnerable to an information disclosure vulnerability, due to an IBM WebSphere Application Server error, which could allow a user to obtain sensitive information they are not entitled to due to the improper handling of request data.
HCL Sametime is impacted by the error messages containing sensitive information
CVE-2023-50355
5.3 - Medium
- October 23, 2024
HCL Sametime is impacted by the error messages containing sensitive information. An attacker can use this information to launch another, more focused attack.
Generation of Error Message Containing Sensitive Information
HCL Sametime is impacted by misconfigured security related HTTP headers
CVE-2024-30122
5.3 - Medium
- October 23, 2024
HCL Sametime is impacted by misconfigured security related HTTP headers. It was identified that some HTTP headers were missing on web service responses. This will lead to less secure browser default treatment for the policies controlled by these headers.
A dynamic search for a prerequisite library could
CVE-2024-30117
5.3 - Medium
- October 14, 2024
A dynamic search for a prerequisite library could allow the possibility for an attacker to replace the correct file under some circumstances.
DLL preloading
HCL Connections is vulnerable to an information disclosure vulnerability which could
CVE-2024-30118
5.7 - Medium
- October 09, 2024
HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to because of improperly handling the request data.
HCL Nomad is susceptible to an insufficient session expiration vulnerability
CVE-2024-23586
7.5 - High
- September 27, 2024
HCL Nomad is susceptible to an insufficient session expiration vulnerability. Under certain circumstances, an unauthenticated attacker could obtain old session information.
Insufficient Session Expiration
HCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website
CVE-2024-30126
- July 18, 2024
HCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge.
HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error
CVE-2024-30125
- July 18, 2024
HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die.
A security vulnerability in HCL Domino could allow disclosure of sensitive configuration information
CVE-2024-23562
7.5 - High
- July 08, 2024
A security vulnerability in HCL Domino could allow disclosure of sensitive configuration information. A remote unauthenticated attacker could exploit this vulnerability to obtain information to launch further attacks against the affected system.
HCL Nomad server on Domino fails to properly handle users configured with limited Domino access resulting in a possible denial of service vulnerability.
CVE-2024-23588
6.5 - Medium
- July 05, 2024
HCL Nomad server on Domino fails to properly handle users configured with limited Domino access resulting in a possible denial of service vulnerability.
The Domino Catalog template is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability
CVE-2023-37539
5.4 - Medium
- June 06, 2024
The Domino Catalog template is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. An attacker with the ability to edit documents in the catalog application/database created from this template can embed a cross site scripting attack. The attack would be activated by an end user clicking it.
XSS
HCL DRYiCE MyXalytics is impacted by an insecure SQL interface vulnerability
CVE-2023-50347
9.8 - Critical
- April 10, 2024
HCL DRYiCE MyXalytics is impacted by an insecure SQL interface vulnerability, potentially giving an attacker the ability to execute custom SQL queries. A malicious user can run arbitrary SQL commands including changing system configuration.
An administrative user of WebReports may perform a Server Side Request Forgery (SSRF) exploit through SMTP configuration options.
CVE-2023-45705
7.2 - High
- March 28, 2024
An administrative user of WebReports may perform a Server Side Request Forgery (SSRF) exploit through SMTP configuration options.
SSRF
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly
CVE-2023-37530
5.4 - Medium
- February 29, 2024
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information.
XSS
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly
CVE-2023-37531
4.8 - Medium
- February 29, 2024
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a form field of a webpage by a user with privileged access.
XSS
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly
CVE-2023-37529
5.4 - Medium
- February 29, 2024
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information. This is not the same vulnerability as identified in CVE-2023-37530.
XSS
Internet passwords stored in Person documents in the Domino® Directory created using the "Add Person" action on the People & Groups tab in the Domino® Administrator are secured using a cryptographically weak hash algorithm
CVE-2023-37495
- February 29, 2024
Internet passwords stored in Person documents in the Domino® Directory created using the "Add Person" action on the People & Groups tab in the Domino® Administrator are secured using a cryptographically weak hash algorithm. This could enable attackers with access to the hashed value to determine a user's password, e.g. using a brute force attack. This issue does not impact Person documents created through user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html .
HCL Connections is vulnerable to a denial of service, caused by improper validation on certain requests
CVE-2023-28018
6.5 - Medium
- February 12, 2024
HCL Connections is vulnerable to a denial of service, caused by improper validation on certain requests. Using a specially-crafted request an attacker could exploit this vulnerability to cause denial of service for affected users.
Sametime is impacted by lack of clickjacking protection in Outlook add-in
CVE-2023-45698
6.1 - Medium
- February 10, 2024
Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks.
Clickjacking
Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client
CVE-2023-45696
7.5 - High
- February 10, 2024
Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser.
Sametime is impacted by a failure to invalidate sessions
CVE-2023-45718
7.5 - High
- February 09, 2024
Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session.
Session Fixation
Sametime is impacted by sensitive information passed in URL.
CVE-2023-45716
4.1 - Medium
- February 09, 2024
Sametime is impacted by sensitive information passed in URL.
Cleartext Transmission of Sensitive Information
Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability
CVE-2023-50349
8.8 - High
- February 09, 2024
Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application.
Session Riding
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly
CVE-2023-37528
6.1 - Medium
- February 03, 2024
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save Report.
XSS
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute.
CVE-2024-23553
5.4 - Medium
- February 02, 2024
A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute.
XSS
A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly
CVE-2023-37527
6.1 - Medium
- February 02, 2024
A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code in the application session or in database, via remote injection, while rendering content in a web page.
XSS
HCL BigFix ServiceNow is vulnerable to arbitrary code injection
CVE-2023-37518
8.8 - High
- January 30, 2024
HCL BigFix ServiceNow is vulnerable to arbitrary code injection. A malicious authorized attacker could inject arbitrary code and execute within the context of the running user.
Code Injection
HCL DRYiCE MyXalytics product is impacted by unauthenticated file upload vulnerability
CVE-2023-45724
9.8 - Critical
- January 03, 2024
HCL DRYiCE MyXalytics product is impacted by unauthenticated file upload vulnerability. The web application permits the upload of a certain file without requiring user authentication.
Unrestricted File Upload
HCL DRYiCE MyXalytics is impacted by Improper Access Control (Obsolete web pages) vulnerability
CVE-2023-50341
7.5 - High
- January 03, 2024
HCL DRYiCE MyXalytics is impacted by Improper Access Control (Obsolete web pages) vulnerability. Discovery of outdated and accessible web pages, reflects a "Missing Access Control" vulnerability, which could lead to inadvertent exposure of sensitive information and/or exposing a vulnerable endpoint.
HCL DRYiCE MyXalytics is impacted by path traversal vulnerability which allows file upload capability
CVE-2023-45723
9.8 - Critical
- January 03, 2024
HCL DRYiCE MyXalytics is impacted by path traversal vulnerability which allows file upload capability. Certain endpoints permit users to manipulate the path (including the file name) where these files are stored on the server.
Directory traversal