CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27768 – An SSL certificate host verification vulnerability affects HCL Verse for Android
https://notcve.org/view.php?id=CVE-2021-27768
Using the ability to perform a Man-in-the-Middle (MITM) attack, which indicates a lack of hostname verification, sensitive account information was able to be intercepted. In this specific scenario, the application's network traffic was intercepted using a proxy server set up in 'transparent' mode while a certificate with an invalid hostname was active. The Android application was found to have hostname verification issues during the server setup and login flows; however, the application did not process requests post-login. Usando la capacidad de llevar a cabo un ataque de tipo Man-in-the-Middle (MITM), que indica una falta de verificación del nombre de host, pudo interceptarse información confidencial de la cuenta. En este caso concreto, fué interceptado el tráfico de red de la aplicación usando un servidor proxy configurado en modo "transparent" mientras estaba activo un certificado con un nombre de host no válido. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097753 • CWE-295: Improper Certificate Validation CWE-300: Channel Accessible by Non-Endpoint •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-27767 – HCL BigFix Platform Console is affected by a Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-27767
The BigFix Console installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed. El instalador de BigFix Console se crea con InstallShield, que estaba afectado por CVE-2021-41526, una vulnerabilidad que podría permitir a un usuario local llevar a cabo una escalada de privilegios. Esta vulnerabilidad fue resuelta mediante la actualización a una versión de InstallShield con la vulnerabilidad subyacente corregida • https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0025/MNDT-2022-0025.md https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0098116 • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-27766 – HCL BigFix Platform Client is affected by a Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-27766
The BigFix Client installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed. El instalador de BigFix Client es creado con InstallShield, que estaba afectado por CVE-2021-41526, una vulnerabilidad que podía permitir a un usuario local llevar a cabo una elevación de privilegios. Esta vulnerabilidad fue resuelta mediante la actualización a una versión de InstallShield con la vulnerabilidad subyacente corregida • https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0024/MNDT-2022-0024.md https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0098116 • CWE-269: Improper Privilege Management •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-27765 – HCL BigFix Platform Server API is affected by Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-27765
The BigFix Server API installer is created with InstallShield, which was affected by CVE-2021-41526, a vulnerability that could allow a local user to perform a privilege escalation. This vulnerability was resolved by updating to an InstallShield version with the underlying vulnerability fixed. El instalador de la API de BigFix Server es creado con InstallShield, que estaba afectado por CVE-2021-41526, una vulnerabilidad que podía permitir a un usuario local llevar a cabo una elevación de privilegios. Esta vulnerabilidad fue resuelta al actualizar a una versión de InstallShield con la vulnerabilidad subyacente corregida • https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0023/MNDT-2022-0023.md https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0098116 • CWE-269: Improper Privilege Management •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-27764 – HCL BigFix WebUI Cookie missing attributes
https://notcve.org/view.php?id=CVE-2021-27764
Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI) Cookie sin el flag HTTPONLY establecido. La cookie de NUMBER fue establecida sin los flags Secure o HTTPOnly. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0097778 • CWE-311: Missing Encryption of Sensitive Data CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute CWE-732: Incorrect Permission Assignment for Critical Resource •