CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-4388
https://notcve.org/view.php?id=CVE-2019-4388
HCL AppScan Source 9.0.3.13 and earlier is susceptible to cross-site scripting (XSS) attacks by allowing users to embed arbitrary JavaScript code in the Web UI. HCL AppScan Source versiones 9.0.3.13 y anteriores, es susceptible a ataques de tipo cross-site scripting (XSS) al permitir a usuarios insertar código JavaScript arbitrario en la interfaz de usuario web. • https://hclpnpsupport.hcltech.com/csm?id=kb_article&sysparm_article=KB0074364 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2019-4409
https://notcve.org/view.php?id=CVE-2019-4409
HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entered file name. If the file name is not escaped in the returned error page, it could expose a cross-site scripting (XSS) vulnerability. HCL Traveler versiones 9.x y anteriores, son susceptibles a ataques de tipo cross-site scripting. • https://hclpnpsupport.hcltech.com/csm?id=kb_article&sysparm_article=KB0073231 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-16188
https://notcve.org/view.php?id=CVE-2019-16188
HCL AppScan Source before 9.03.13 is susceptible to XML External Entity (XXE) attacks in multiple locations. In particular, an attacker can send a specially crafted .ozasmt file to a targeted victim and ask the victim to open it. When the victim imports the .ozasmt file in AppScan Source, the content of any file in the local file system (to which the victim as read access) can be exfiltrated to a remote listener under the attacker's control. The product does not disable external XML Entity Processing, which can lead to information disclosure and denial of services attacks. HCL AppScan Source versiones anteriores a 9.03.13, es susceptible a ataques de tipo XML External Entity (XXE) en múltiples ubicaciones. • https://hclpnpsupport.hcltech.com/csm?id=kb_article&sys_id=0812a9961b0c885077761fc58d4bcb06 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2018-11518
https://notcve.org/view.php?id=CVE-2018-11518
A vulnerability allows a phreaking attack on HCL legacy IVR systems that do not use VoIP. These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them for service activations. This is a request-forgery issue when the required series of DTMF signals for a service activation is predictable (e.g., the IVR system does not speak a nonce to the caller). In this case, the IVR system accepts an activation request from a less-secure channel (any loudspeaker in the caller's physical environment) without verifying that the request was intended (it matches a nonce sent over a more-secure channel to the caller's earpiece). • http://virgil-cj.blogspot.com/2018/05/0day-legacy-ivr-lets-phreak.html https://datarift.blogspot.com/2018/05/CVE-2018-11518-abusing-ivr-systems.html https://twitter.com/mishradhiraj_/status/1001664204485652482 https://twitter.com/mishradhiraj_/status/1001664440759091207 • CWE-20: Improper Input Validation •