CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37496 – HCL Verse is susceptible to a Stored Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2023-37496
HCL Verse is susceptible to a Stored Cross Site Scripting (XSS) vulnerability. An attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105904 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28013 – HCL Verse is susceptible to a Reflected Cross-Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2023-28013
HCL Verse is susceptible to a Reflected Cross Site Scripting (XSS) vulnerability. By tricking a user into entering crafted markup a remote, unauthenticated attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information. HCL BigFix Mobile es vulnerable a ataques de tipo Cross-Site Scripting (XSS). Un atacante autenticado podría inyectar scripts maliciosos en la aplicación. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105905 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27788 – HCL Verse is susceptible to a Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2021-27788
HCL Verse is susceptible to a Cross Site Scripting (XSS) vulnerability. By tricking a user into clicking a crafted URL, a remote unauthenticated attacker could execute script in a victim's web browser to perform operations as the victim and/or steal the victim's cookies, session tokens, or other sensitive information. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0103678 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-4099 – HCL Verse for Android is susceptible to an APK signing key check vulnerability
https://notcve.org/view.php?id=CVE-2020-4099
The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the app. La aplicación se firmó utilizando una longitud de clave menor o igual a 1024 bits, lo que la hace potencialmente vulnerable a firmas digitales falsificadas. Un atacante podría falsificar la misma firma digital de la aplicación después de modificarla maliciosamente. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0100861 • CWE-326: Inadequate Encryption Strength •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27768 – An SSL certificate host verification vulnerability affects HCL Verse for Android
https://notcve.org/view.php?id=CVE-2021-27768
Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in 'transparent' mode while a certificate with an invalid hostname was active. The Android application was found to have hostname verification issues during the server setup and login flows; however, the application did not process requests post-login. Usando la capacidad de llevar a cabo un ataque de tipo Man-in-the-Middle (MITM), que indica una falta de verificación del nombre de host, pudo interceptarse información confidencial de la cuenta. En este caso concreto, fué interceptado el tráfico de red de la aplicación usando un servidor proxy configurado en modo "transparent" mientras estaba activo un certificado con un nombre de host no válido. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097753 • CWE-295: Improper Certificate Validation CWE-300: Channel Accessible by Non-Endpoint •