Hcltech Hcltech

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Hcltech product.

RSS Feeds for Hcltech security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Hcltech products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Hcltech Sorted by Most Security Vulnerabilities since 2018

Hcltech Dryice Myxalytics27 vulnerabilities

Hcltech Bigfix Platform22 vulnerabilities

Hcltech Domino21 vulnerabilities

Hcltech Sametime12 vulnerabilities

Hcltech Connections11 vulnerabilities

Hcltech Notes10 vulnerabilities

Hcltech Bigfix Compliance8 vulnerabilities

Hcltech Digital Experience6 vulnerabilities

Hcltech Bigfix Webui6 vulnerabilities

Hcltech Bigfix Mobile6 vulnerabilities

Hcltech Unica6 vulnerabilities

Hcltech Verse5 vulnerabilities

Hcltech Hcl Compass4 vulnerabilities

Hcltech Traveler Companion3 vulnerabilities

Hcltech Hcl Nomad3 vulnerabilities

Hcltech Traveler To Do2 vulnerabilities

Hcltech Workload Automation2 vulnerabilities

Hcltech Appscan Presence1 vulnerability

Hcltech Hcl Sx1 vulnerability

Hcltech Commerce1 vulnerability

Hcltech Dryice Iautomate1 vulnerability

Hcltech Hcl Leap1 vulnerability

Hcltech Dryice Mycloud1 vulnerability

By the Year

In 2025 there have been 17 vulnerabilities in Hcltech with an average score of 7.1 out of ten. Last year, in 2024 Hcltech had 42 security vulnerabilities published. Right now, Hcltech is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.49.




Year Vulnerabilities Average Score
2025 17 7.09
2024 42 6.60
2023 46 6.69
2022 53 6.88
2021 5 5.26
2020 37 6.97
2019 3 5.77
2018 0 0.00

It may take a day or so for new Hcltech vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Hcltech Security Vulnerabilities

HCL BigFix Compliance is affected by an improper or missing SameSite attribute

CVE-2024-42212 - May 05, 2025

HCL BigFix Compliance is affected by an improper or missing SameSite attribute. This can lead to Cross-Site Request Forgery (CSRF) attacks, where a malicious site could trick a user's browser into making unintended requests using authenticated sessions.

HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment

CVE-2024-42213 - May 05, 2025

HCL BigFix Compliance is affected by inclusion of temporary files left in the production environment. An attacker might gain access to these files by indexing or retrieved via predictable URLs or misconfigured permissions, leading to information disclosure.

HCL MyXalytics is affected by a failure to restrict URL access vulnerability

CVE-2024-42178 7.5 - High - April 17, 2025

HCL MyXalytics is affected by a failure to restrict URL access vulnerability. Unauthenticated users might gain unauthorized access to potentially confidential information, creating a risk of misuse, manipulation, or unauthorized distribution.

Missing Authentication for Critical Function

HCL MyXalytics is affected by SSL/TLS Protocol affected with BREACH & LUCKY13 vulnerabilities

CVE-2024-42177 6.4 - Medium - April 17, 2025

HCL MyXalytics is affected by SSL/TLS Protocol affected with BREACH & LUCKY13 vulnerabilities. Attackers can exploit the weakness in the ciphers to intercept and decrypt encrypted data, steal sensitive information, or inject malicious code into the system.

Inadequate Encryption Strength

HCL MyXalytics is affected by concurrent login vulnerability

CVE-2024-42176 8 - High - March 19, 2025

HCL MyXalytics is affected by concurrent login vulnerability. A concurrent login vulnerability occurs when simultaneous active sessions are allowed for a single credential allowing an attacker to potentially obtain access to a user's account or sensitive information.

HCL SX is vulnerable to cross-site request forgery vulnerability which could allow an attacker to execute malicious and unauthorized actions transmitted from a user

CVE-2024-30154 5.7 - Medium - March 03, 2025

HCL SX is vulnerable to cross-site request forgery vulnerability which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

HCL MyXalytics is affected by sensitive information disclosure vulnerability

CVE-2024-42179 2.7 - Low - January 12, 2025

HCL MyXalytics is affected by sensitive information disclosure vulnerability. The HTTP response header exposes the Microsoft-HTTP API/2.0 as the server's name & version.

HCL MyXalytics is affected by a malicious file upload vulnerability

CVE-2024-42180 9.8 - Critical - January 12, 2025

HCL MyXalytics is affected by a malicious file upload vulnerability. The application accepts invalid file uploads, including incorrect content types, double extensions, null bytes, and special characters, allowing attackers to upload and execute malicious files.

Unrestricted File Upload

HCL MyXalytics is affected by a cleartext transmission of sensitive information vulnerability

CVE-2024-42181 7.5 - High - January 12, 2025

HCL MyXalytics is affected by a cleartext transmission of sensitive information vulnerability. The application transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Cleartext Transmission of Sensitive Information

HCL MyXalytics is affected by a weak input validation vulnerability

CVE-2024-42175 9.8 - Critical - January 11, 2025

HCL MyXalytics is affected by a weak input validation vulnerability. The application accepts special characters and there is no length validation. This can lead to security vulnerabilities like SQL injection, XSS, and buffer overflow.

HCL MyXalytics is affected by a session fixation vulnerability

CVE-2024-42170 6.8 - Medium - January 11, 2025

HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session.

Session Fixation

HCL MyXalytics is affected by a session fixation vulnerability

CVE-2024-42171 6.4 - Medium - January 11, 2025

HCL MyXalytics is affected by a session fixation vulnerability. Cyber-criminals can exploit this by sending crafted URLs with a session token to access the victim's login session.

Session Fixation

HCL MyXalytics is affected by broken authentication

CVE-2024-42172 9.8 - Critical - January 11, 2025

HCL MyXalytics is affected by broken authentication. It allows attackers to compromise keys, passwords, and session tokens, potentially leading to identity theft and system control. This vulnerability arises from poor configuration, logic errors, or software bugs and can affect any application with access control, including databases, network infrastructure, and web applications.

Insufficiently Protected Credentials

HCL MyXalytics is affected by an improper password policy implementation vulnerability

CVE-2024-42173 4.8 - Medium - January 11, 2025

HCL MyXalytics is affected by an improper password policy implementation vulnerability. Weak passwords and lack of account lockout policies allow attackers to guess or brute-force passwords if the username is known.

Weak Password Requirements

HCL MyXalytics is affected by username enumeration vulnerability

CVE-2024-42174 3.7 - Low - January 11, 2025

HCL MyXalytics is affected by username enumeration vulnerability. This allows a malicious user to perform enumeration of application users, and therefore compile a list of valid usernames.

Side Channel Attack

HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability

CVE-2024-42168 9.4 - Critical - January 11, 2025

HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability. An attacker can deploy a web server that returns malicious content, and then induce the application to retrieve and process that content.

SSRF

HCL MyXalytics is affected by insecure direct object references

CVE-2024-42169 8.1 - High - January 11, 2025

HCL MyXalytics is affected by insecure direct object references. It occurs due to missing access control checks, which fail to verify whether a user should be allowed to access specific data.

Insecure Direct Object Reference / IDOR

HCL BigFix Compliance Unvalidated Redirect

CVE-2024-30140 - November 07, 2024

HCL BigFix Compliance is affected by unvalidated redirects and forwards. The HOST header can be manipulated by an attacker and as a result, it can poison the web cache and provide back to users being served the page.

HCL BigFix Compliance Sensitive Error Disclosure

CVE-2024-30141 - November 07, 2024

HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information. Detailed error messages can provide enticement information or expose information about its environment, users, or associated data.

HCL BigFix Compliance Cookie Secure Flag Missing

CVE-2024-30142 - November 07, 2024

HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel.

HCL Connections is vulnerable to an information disclosure vulnerability, due to an IBM WebSphere Application Server error, which could

CVE-2024-30106 4.3 - Medium - October 28, 2024

HCL Connections is vulnerable to an information disclosure vulnerability, due to an IBM WebSphere Application Server error, which could allow a user to obtain sensitive information they are not entitled to due to the improper handling of request data.

HCL Sametime is impacted by the error messages containing sensitive information

CVE-2023-50355 5.3 - Medium - October 23, 2024

HCL Sametime is impacted by the error messages containing sensitive information. An attacker can use this information to launch another, more focused attack.

Generation of Error Message Containing Sensitive Information

HCL Sametime is impacted by misconfigured security related HTTP headers

CVE-2024-30122 5.3 - Medium - October 23, 2024

HCL Sametime is impacted by misconfigured security related HTTP headers. It was identified that some HTTP headers were missing on web service responses. This will lead to less secure browser default treatment for the policies controlled by these headers.

A dynamic search for a prerequisite library could

CVE-2024-30117 5.3 - Medium - October 14, 2024

A dynamic search for a prerequisite library could allow the possibility for an attacker to replace the correct file under some circumstances.

DLL preloading

HCL Connections is vulnerable to an information disclosure vulnerability which could

CVE-2024-30118 5.7 - Medium - October 09, 2024

HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to because of improperly handling the request data.

HCL Nomad is susceptible to an insufficient session expiration vulnerability

CVE-2024-23586 7.5 - High - September 27, 2024

HCL Nomad is susceptible to an insufficient session expiration vulnerability.   Under certain circumstances, an unauthenticated attacker could obtain old session information.

Insufficient Session Expiration

HCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website

CVE-2024-30126 - July 18, 2024

HCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge.

HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error

CVE-2024-30125 - July 18, 2024

HCL BigFix Compliance server can respond with an HTTP status of 500, indicating a server-side error that may cause the server process to die.

A security vulnerability in HCL Domino could allow disclosure of sensitive configuration information

CVE-2024-23562 7.5 - High - July 08, 2024

A security vulnerability in HCL Domino could allow disclosure of sensitive configuration information. A remote unauthenticated attacker could exploit this vulnerability to obtain information to launch further attacks against the affected system.

HCL Nomad server on Domino fails to properly handle users configured with limited Domino access resulting in a possible denial of service vulnerability.

CVE-2024-23588 6.5 - Medium - July 05, 2024

HCL Nomad server on Domino fails to properly handle users configured with limited Domino access resulting in a possible denial of service vulnerability.

The Domino Catalog template is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability

CVE-2023-37539 5.4 - Medium - June 06, 2024

The Domino Catalog template is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. An attacker with the ability to edit documents in the catalog application/database created from this template can embed a cross site scripting attack. The attack would be activated by an end user clicking it.

XSS

HCL DRYiCE MyXalytics is impacted by an insecure SQL interface vulnerability

CVE-2023-50347 9.8 - Critical - April 10, 2024

HCL DRYiCE MyXalytics is impacted by an insecure SQL interface vulnerability, potentially giving an attacker the ability to execute custom SQL queries. A malicious user can run arbitrary SQL commands including changing system configuration.

An administrative user of WebReports may perform a Server Side Request Forgery (SSRF) exploit through SMTP configuration options.

CVE-2023-45705 7.2 - High - March 28, 2024

An administrative user of WebReports may perform a Server Side Request Forgery (SSRF) exploit through SMTP configuration options.

SSRF

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly

CVE-2023-37530 5.4 - Medium - February 29, 2024

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information.

XSS

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly

CVE-2023-37531 4.8 - Medium - February 29, 2024

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a form field of a webpage by a user with privileged access.

XSS

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly

CVE-2023-37529 5.4 - Medium - February 29, 2024

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information. This is not the same vulnerability as identified in CVE-2023-37530.

XSS

Internet passwords stored in Person documents in the Domino® Directory created using the "Add Person" action on the People & Groups tab in the Domino® Administrator are secured using a cryptographically weak hash algorithm

CVE-2023-37495 - February 29, 2024

Internet passwords stored in Person documents in the Domino® Directory created using the "Add Person" action on the People & Groups tab in the Domino® Administrator are secured using a cryptographically weak hash algorithm. This could enable attackers with access to the hashed value to determine a user's password, e.g. using a brute force attack. This issue does not impact Person documents created through user registration https://help.hcltechsw.com/domino/10.0.1/admin/conf_userregistration_c.html .

HCL Connections is vulnerable to a denial of service, caused by improper validation on certain requests

CVE-2023-28018 6.5 - Medium - February 12, 2024

HCL Connections is vulnerable to a denial of service, caused by improper validation on certain requests. Using a specially-crafted request an attacker could exploit this vulnerability to cause denial of service for affected users.

Sametime is impacted by lack of clickjacking protection in Outlook add-in

CVE-2023-45698 6.1 - Medium - February 10, 2024

Sametime is impacted by lack of clickjacking protection in Outlook add-in. The application is not implementing appropriate protections in order to protect users from clickjacking attacks.

Clickjacking

Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client

CVE-2023-45696 7.5 - High - February 10, 2024

Sametime is impacted by sensitive fields with autocomplete enabled in the Legacy web chat client. By default, this allows user entered data to be stored by the browser.

Sametime is impacted by a failure to invalidate sessions

CVE-2023-45718 7.5 - High - February 09, 2024

Sametime is impacted by a failure to invalidate sessions. The application is setting sensitive cookie values in a persistent manner in Sametime Web clients. When this happens, cookie values can remain valid even after a user has closed out their session.  

Session Fixation

Sametime is impacted by sensitive information passed in URL.

CVE-2023-45716 4.1 - Medium - February 09, 2024

Sametime is impacted by sensitive information passed in URL.

Cleartext Transmission of Sensitive Information

Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability

CVE-2023-50349 8.8 - High - February 09, 2024

Sametime is impacted by a Cross Site Request Forgery (CSRF) vulnerability. Some REST APIs in the Sametime Proxy application can allow an attacker to perform malicious actions on the application.

Session Riding

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly

CVE-2023-37528 6.1 - Medium - February 03, 2024

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save Report.

XSS

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute.

CVE-2024-23553 5.4 - Medium - February 02, 2024

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute.

XSS

A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly

CVE-2023-37527 6.1 - Medium - February 02, 2024

A reflected cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code in the application session or in database, via remote injection, while rendering content in a web page.

XSS

HCL BigFix ServiceNow is vulnerable to arbitrary code injection

CVE-2023-37518 8.8 - High - January 30, 2024

HCL BigFix ServiceNow is vulnerable to arbitrary code injection. A malicious authorized attacker could inject arbitrary code and execute within the context of the running user.

Code Injection

HCL DRYiCE MyXalytics product is impacted by unauthenticated file upload vulnerability

CVE-2023-45724 9.8 - Critical - January 03, 2024

HCL DRYiCE MyXalytics product is impacted by unauthenticated file upload vulnerability. The web application permits the upload of a certain file without requiring user authentication.

Unrestricted File Upload

HCL DRYiCE MyXalytics is impacted by Improper Access Control (Obsolete web pages) vulnerability

CVE-2023-50341 7.5 - High - January 03, 2024

HCL DRYiCE MyXalytics is impacted by Improper Access Control (Obsolete web pages) vulnerability. Discovery of outdated and accessible web pages, reflects a "Missing Access Control" vulnerability, which could lead to inadvertent exposure of sensitive information and/or exposing a vulnerable endpoint.

HCL DRYiCE MyXalytics is impacted by path traversal vulnerability which allows file upload capability

CVE-2023-45723 9.8 - Critical - January 03, 2024

HCL DRYiCE MyXalytics is impacted by path traversal vulnerability which allows file upload capability.  Certain endpoints permit users to manipulate the path (including the file name) where these files are stored on the server.

Directory traversal

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.