CVE-2023-28023 – HCL BigFix WebUI Software Distribution is affected by a cross site server request forgery vulnerability
https://notcve.org/view.php?id=CVE-2023-28023
A cross site request forgery vulnerability in the BigFix WebUI Software Distribution interface site version 44 and before allows an NMO attacker to access files on server side systems (server machine and all the ones in its network). • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0106123 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2023-28019 – An SQL injection affects BigFix WebUI API
https://notcve.org/view.php?id=CVE-2023-28019
Insufficient validation in Bigfix WebUI API App site version < 14 allows an authenticated WebUI user to issue SQL queries via an unparameterized SQL query. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0106123 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2022-38655 – HCL BigFix WebUI is affected by a missing-permission-check vulnerability
https://notcve.org/view.php?id=CVE-2022-38655
BigFix WebUI non-master operators are missing controls that prevent them from being able to modify the relevance of fixlets or to deploy fixlets from the BES Support external site. A los operadores no maestros de BigFix WebUI les faltan controles que les impiden modificar la relevancia de los fixlets o implementar fixlets desde el sitio externo de soporte de BES. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102140 •