CVE-2023-28019 – An SQL injection affects BigFix WebUI API
https://notcve.org/view.php?id=CVE-2023-28019
Insufficient validation in Bigfix WebUI API App site version < 14 allows an authenticated WebUI user to issue SQL queries via an unparameterized SQL query. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0106123 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-23344 – HCL BigFix WebUI Insights is susceptible to a lack of sufficient authorization
https://notcve.org/view.php?id=CVE-2023-23344
A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator page. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105705 • CWE-276: Incorrect Default Permissions •
CVE-2023-28016 – HCL BigFix OSD Bare Metal Server is affected by a host header injection vulnerability
https://notcve.org/view.php?id=CVE-2023-28016
Host Header Injection vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to supply invalid input to cause the OSD Bare Metal Server to perform a redirect to an attacker-controlled domain. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105601 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2023-28006 – HCL BigFix OSD Bare Metal Server is affected by a weak cryptographic algorithm.
https://notcve.org/view.php?id=CVE-2023-28006
The OSD Bare Metal Server uses a cryptographic algorithm that is no longer considered sufficiently secure. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105601 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVE-2023-23343 – HCL BigFix OSD Bare Metal Server version 311.12 or lower is affected by a clickjacking vulnerability.
https://notcve.org/view.php?id=CVE-2023-23343
A clickjacking vulnerability in the HCL BigFix OSD Bare Metal Server version 311.12 or lower allows attacker to use transparent or opaque layers to trick a user into clicking on a button or link on another page to perform a redirect to an attacker-controlled domain. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105601 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •