CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14248
https://notcve.org/view.php?id=CVE-2020-14248
BigFix Inventory up to v10.0.2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. BigFix Inventory versiones hasta v10.0.2, no establece el indicador de seguridad para la cookie de sesión en una sesión https, lo que puede causar que la cookie se envíe en peticiones http y facilita a unos atacantes remotos capturar esta cookie • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085735 • CWE-319: Cleartext Transmission of Sensitive Information •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14254
https://notcve.org/view.php?id=CVE-2020-14254
TLS-RSA cipher suites are not disabled in HCL BigFix Inventory up to v10.0.2. If TLS 2.0 and secure ciphers are not enabled then an attacker can passively record traffic and later decrypt it. Los conjuntos de cifrado TLS-RSA no están deshabilitados en HCL BigFix Inventory versiones hasta v10.0.2. Si TLS versión 2.0 y los cifrados seguros no están habilitados, un atacante puede registrar el tráfico de forma pasiva y luego descifrarlo • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0085733 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 6.0EPSS: 0%CPEs: 2EXPL: 0CVE-2020-4095
https://notcve.org/view.php?id=CVE-2020-4095
"BigFix Platform is storing clear text credentials within the system's memory. An attacker who is able to gain administrative privileges can use a program to create a memory dump and extract the credentials. These credentials can be used to pivot further into the environment. The principle of least privilege should be applied to all BigFix deployments, limiting administrative access." BigFix Platform está almacenando credenciales de texto sin cifrar dentro de la memoria del sistema. • https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080772 • CWE-312: Cleartext Storage of Sensitive Information CWE-522: Insufficiently Protected Credentials •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2019-4058
https://notcve.org/view.php?id=CVE-2019-4058
IBM BigFix Platform 9.2 and 9.5 could allow a low-privilege user to manipulate the UI into exposing interface elements and information normally restricted to administrators. IBM X-Force ID: 156570. IBM BigFix Platform 9.2 y 9.5 podría permitir que un usuario con pocos privilegios manipule la Interfaz de Usuario para exponer los elementos de la interfaz y la información normalmente restringida a los administradores. ID de IBM X-Force: 156570. • https://exchange.xforce.ibmcloud.com/vulnerabilities/156570 https://www.ibm.com/support/docview.wss?uid=ibm10881996 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2019-4011
https://notcve.org/view.php?id=CVE-2019-4011
IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 155885. IBM BigFix Platform 9.2 y 9.5 es vulnerable a una secuencia de comandos del tipo cross-site. Esta vulnerabilidad permite a los usuarios incrustar código JavaScript arbitrario en la Interfaz de Usuario Web, por lo tanto, alterar la funcionalidad deseada que podría conducir a la divulgación de credenciales dentro de una sesión confiable. • https://exchange.xforce.ibmcloud.com/vulnerabilities/155885 https://www.ibm.com/support/docview.wss?uid=ibm10881996 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •