CVE-2023-37536 – HCL BigFix Platform is vulnerable to an integer overflow in xerces-c++ 3.2.3
https://notcve.org/view.php?id=CVE-2023-37536
An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request. Un desbordamiento de enteros de xerces-c++ 3.2.3 en BigFix Platform permite a atacantes remotos provocar acceso fuera de límites a través de una solicitud HTTP. An integer overflow exists in xerces-c++. This flaw allows an attacker using a specially crafted HTTP request payload to trigger an out-of-bounds read, resulting in a loss of confidentiality, integrity, and availability. • https://lists.debian.org/debian-lts-announce/2023/12/msg00027.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7A6WWL4SWKAVYK6VK5YN7KZP4MZWC7IY https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AJYZUBGPVWJ7LEHRCMB5XVADQBNGURXD https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAOSSJ72CUJ535VRWTCVQKUYT2LYR3OM https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107791 https://access.redhat.com/security • CWE-190: Integer Overflow or Wraparound CWE-680: Integer Overflow to Buffer Overflow •
CVE-2022-42453 – HCL BigFix Platform is affected by insufficient warnings
https://notcve.org/view.php?id=CVE-2022-42453
There are insufficient warnings when a Fixlet is imported by a user. The warning message currently assumes the owner of the script is the logged in user, with insufficient warnings when attempting to run the script. No hay advertencias suficientes cuando un usuario importa un Fixlet. El mensaje de advertencia actualmente supone que el propietario del script es el usuario que inició sesión, con advertencias insuficientes al intentar ejecutar el script. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102049 • CWE-287: Improper Authentication •
CVE-2022-38659 – HCL BigFix Platform is affected by insecure credential storage
https://notcve.org/view.php?id=CVE-2022-38659
In specific scenarios, on Windows the operator credentials may be encrypted in a manner that is not completely machine-dependent. En escenarios específicos, en Windows las credenciales del operador pueden cifrarse de una manera que no dependa completamente de la máquina. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102049 • CWE-326: Inadequate Encryption Strength •
CVE-2022-27545 – HCL BigFix Web Reports authorized users may perform HTML injection.
https://notcve.org/view.php?id=CVE-2022-27545
BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page. Los usuarios autorizados de BigFix Web Reports pueden llevar a cabo una inyección de HTML para la página de configuración administrativa del correo electrónico. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0098998 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-27544 – HCL BigFix Web Reports authorized users may see sensitive information in clear text
https://notcve.org/view.php?id=CVE-2022-27544
BigFix Web Reports authorized users may see SMTP credentials in clear text. Los usuarios autorizados de BigFix Web Reports pueden visualizar las credenciales SMTP en texto sin cifrar. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0098998 • CWE-522: Insufficiently Protected Credentials •