Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-27546

Summary
Assigner-HCL
Assigner Org ID-1e47fe04-f25f-42fa-b674-36de2c5e3cfc
Published At-29 Aug, 2022 | 16:00
Updated At-17 Sep, 2024 | 03:39
Rejected At-
Credits

HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability

HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input supplied with a form POST request. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's web browser within the security context of the hosting web site and/or steal the victim's cookie-based authentication credentials.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:HCL
Assigner Org ID:1e47fe04-f25f-42fa-b674-36de2c5e3cfc
Published At:29 Aug, 2022 | 16:00
Updated At:17 Sep, 2024 | 03:39
Rejected At:
â–¼CVE Numbering Authority (CNA)
HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability

HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input supplied with a form POST request. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's web browser within the security context of the hosting web site and/or steal the victim's cookie-based authentication credentials.

Affected Products
Vendor
HCL Technologies Ltd.HCL Software
Product
HCL iNotes
Versions
Affected
  • 9, 10, 11, 12
Problem Types
TypeCWE IDDescription
CWECWE-79CWE-79 Cross-site Scripting (XSS)
Type: CWE
CWE ID: CWE-79
Description: CWE-79 Cross-site Scripting (XSS)
Metrics
VersionBase scoreBase severityVector
3.18.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0100216
x_refsource_MISC
Hyperlink: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0100216
Resource:
x_refsource_MISC
â–¼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Configurations

Workarounds

Exploits

Credits

Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0100216
x_refsource_MISC
x_transferred
Hyperlink: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0100216
Resource:
x_refsource_MISC
x_transferred
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@hcl.com
Published At:29 Aug, 2022 | 16:15
Updated At:01 Sep, 2022 | 20:53

HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input supplied with a form POST request. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's web browser within the security context of the hosting web site and/or steal the victim's cookie-based authentication credentials.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Secondary3.18.3HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
CPE Matches

HCL Technologies Ltd.
hcltech
>>hcl_inotes>>9.0.1
cpe:2.3:a:hcltech:hcl_inotes:9.0.1:-:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>9.0.1
cpe:2.3:a:hcltech:hcl_inotes:9.0.1:fixpack_10:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>9.0.1
cpe:2.3:a:hcltech:hcl_inotes:9.0.1:fixpack_3:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>9.0.1
cpe:2.3:a:hcltech:hcl_inotes:9.0.1:fixpack_4:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>9.0.1
cpe:2.3:a:hcltech:hcl_inotes:9.0.1:fixpack_5:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>9.0.1
cpe:2.3:a:hcltech:hcl_inotes:9.0.1:fixpack_6:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>9.0.1
cpe:2.3:a:hcltech:hcl_inotes:9.0.1:fixpack_7:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>9.0.1
cpe:2.3:a:hcltech:hcl_inotes:9.0.1:fixpack_8:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>9.0.1
cpe:2.3:a:hcltech:hcl_inotes:9.0.1:fixpack_9:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>10.0
cpe:2.3:a:hcltech:hcl_inotes:10.0:*:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>10.0.1
cpe:2.3:a:hcltech:hcl_inotes:10.0.1:-:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>10.0.1
cpe:2.3:a:hcltech:hcl_inotes:10.0.1:fixpack_1:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>10.0.1
cpe:2.3:a:hcltech:hcl_inotes:10.0.1:fixpack_2:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>10.0.1
cpe:2.3:a:hcltech:hcl_inotes:10.0.1:fixpack_3:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>10.0.1
cpe:2.3:a:hcltech:hcl_inotes:10.0.1:fixpack_4:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>10.0.1
cpe:2.3:a:hcltech:hcl_inotes:10.0.1:fixpack_5:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>10.0.1
cpe:2.3:a:hcltech:hcl_inotes:10.0.1:fixpack_6:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>10.0.1
cpe:2.3:a:hcltech:hcl_inotes:10.0.1:fixpack_7:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>10.0.1
cpe:2.3:a:hcltech:hcl_inotes:10.0.1:fixpack_8:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>11.0
cpe:2.3:a:hcltech:hcl_inotes:11.0:*:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>11.0.1
cpe:2.3:a:hcltech:hcl_inotes:11.0.1:-:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>11.0.1
cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack_1:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>11.0.1
cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack_2:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>11.0.1
cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack_3:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>11.0.1
cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack_4:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>11.0.1
cpe:2.3:a:hcltech:hcl_inotes:11.0.1:fixpack_5:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>12.0
cpe:2.3:a:hcltech:hcl_inotes:12.0:*:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>12.0.1
cpe:2.3:a:hcltech:hcl_inotes:12.0.1:-:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>hcl_inotes>>12.0.1
cpe:2.3:a:hcltech:hcl_inotes:12.0.1:fixpack_1:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>9.0
cpe:2.3:a:hcltech:domino:9.0:*:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>9.0.1
cpe:2.3:a:hcltech:domino:9.0.1:-:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>9.0.1
cpe:2.3:a:hcltech:domino:9.0.1:fixpack_10:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>9.0.1
cpe:2.3:a:hcltech:domino:9.0.1:fixpack_3:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>9.0.1
cpe:2.3:a:hcltech:domino:9.0.1:fixpack_4:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>9.0.1
cpe:2.3:a:hcltech:domino:9.0.1:fixpack_5:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>9.0.1
cpe:2.3:a:hcltech:domino:9.0.1:fixpack_6:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>9.0.1
cpe:2.3:a:hcltech:domino:9.0.1:fixpack_7:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>9.0.1
cpe:2.3:a:hcltech:domino:9.0.1:fixpack_8:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>9.0.1
cpe:2.3:a:hcltech:domino:9.0.1:fixpack_9:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>10.0
cpe:2.3:a:hcltech:domino:10.0:*:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>10.0.1
cpe:2.3:a:hcltech:domino:10.0.1:-:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>10.0.1
cpe:2.3:a:hcltech:domino:10.0.1:fixpack_1:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>10.0.1
cpe:2.3:a:hcltech:domino:10.0.1:fixpack_2:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>10.0.1
cpe:2.3:a:hcltech:domino:10.0.1:fixpack_3:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>10.0.1
cpe:2.3:a:hcltech:domino:10.0.1:fixpack_4:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>10.0.1
cpe:2.3:a:hcltech:domino:10.0.1:fixpack_5:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>10.0.1
cpe:2.3:a:hcltech:domino:10.0.1:fixpack_6:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>10.0.1
cpe:2.3:a:hcltech:domino:10.0.1:fixpack_7:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>10.0.1
cpe:2.3:a:hcltech:domino:10.0.1:fixpack_8:*:*:*:*:*:*
HCL Technologies Ltd.
hcltech
>>domino>>11.0
cpe:2.3:a:hcltech:domino:11.0:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-79Primarynvd@nist.gov
CWE-79Secondarypsirt@hcl.com
CWE ID: CWE-79
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-79
Type: Secondary
Source: psirt@hcl.com
Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References
HyperlinkSourceResource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0100216psirt@hcl.com
Vendor Advisory
Hyperlink: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0100216
Source: psirt@hcl.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

10595Records found

CVE-2022-27561
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-7.5||HIGH
EPSS-0.38% / 30.19%
||
7 Day CHG~0.00%
Published-15 Sep, 2022 | 21:50
Updated-16 Sep, 2024 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Traveler is susceptible to a Reflected Cross-Site Scripting vulnerability in the web admin (LotusTraveler.nsf)

There is a reflected Cross-Site Scripting vulnerability in the HCL Traveler web admin (LotusTraveler.nsf).

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-travelerHCL Traveler
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42200
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.8||MEDIUM
EPSS-0.18% / 7.94%
||
7 Day CHG~0.00%
Published-15 Apr, 2025 | 18:00
Updated-09 Oct, 2025 | 19:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Web Reports is potentially susceptible to a Stored Cross-Site Scripting (XSS) attack

HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_platformHCL BigFix Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42195
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.1||LOW
EPSS-0.29% / 20.38%
||
7 Day CHG+0.01%
Published-05 Dec, 2024 | 04:47
Updated-21 Apr, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL DevOps Deploy / HCL Launch is vulnerable to HTML injection

HCL DevOps Deploy / HCL Launch is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_devops_deployhcl_launchDevOps Deploy / Launch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CVE-2024-30112
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 16.87%
||
7 Day CHG~0.00%
Published-25 Jun, 2024 | 21:28
Updated-28 Oct, 2025 | 18:53
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Connections is vulnerable to a cross-site scripting (XSS) vulnerability

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-connectionsConnections
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-30113
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.3||MEDIUM
EPSS-0.24% / 15.31%
||
7 Day CHG~0.00%
Published-24 Apr, 2025 | 16:23
Updated-17 Nov, 2025 | 21:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Leap is affected by a cross-site scripting (XSS) vulnerability

Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_leapHCL Leap
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-30126
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.7||MEDIUM
EPSS-0.22% / 12.41%
||
7 Day CHG~0.00%
Published-18 Jul, 2024 | 19:17
Updated-17 Jun, 2025 | 21:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Compliance is affected by a missing X-Frame-Options Header vulnerability

HCL BigFix Compliance is affected by a missing X-Frame-Options HTTP header which can allow an attacker to create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_complianceBigFix Compliance
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-30114
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.7||LOW
EPSS-0.19% / 9.15%
||
7 Day CHG~0.00%
Published-24 Apr, 2025 | 16:22
Updated-17 Nov, 2025 | 21:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Leap is affected by a cross-site scripting (XSS) vulnerability

Insufficient sanitization in HCL Leap allows client-side script injection in the authoring environment.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_leapHCL Leap
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-51734
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.4||MEDIUM
EPSS-0.15% / 4.88%
||
7 Day CHG+0.01%
Published-28 Nov, 2025 | 00:00
Updated-02 Dec, 2025 | 20:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in HCL Technologies Ltd. Unica 12.0.0.

Action-Not Available
Vendor-n/aHCL Technologies Ltd.
Product-unican/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-23553
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3||LOW
EPSS-0.26% / 16.85%
||
7 Day CHG~0.00%
Published-02 Feb, 2024 | 21:03
Updated-03 Jun, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A cross-site scripting (XSS) vulnerability affects HCL BigFix Platform

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_platformBigFix Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-45707
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.4||MEDIUM
EPSS-0.25% / 16.25%
||
7 Day CHG~0.00%
Published-08 Jun, 2024 | 15:10
Updated-15 Apr, 2026 | 00:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Connections Docs is vulnerable to Cross-Site Scripting (XSS)

HCL Connections Docs is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary code. This may lead to credentials disclosure and possibly launch additional attacks.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-Connections Docs
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-45706
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-2||LOW
EPSS-0.26% / 17.33%
||
7 Day CHG~0.00%
Published-28 Mar, 2024 | 14:19
Updated-08 Jan, 2026 | 18:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Platform is susceptible to Cross Site Scripting (XSS) and/or Man in the Middle (MITM) attack

An administrative user of WebReports may perform a Cross Site Scripting (XSS) and/or Man in the Middle (MITM) exploit through SAML configuration.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_platformBigFix Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-45700
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.3||MEDIUM
EPSS-0.31% / 23.17%
||
7 Day CHG~0.00%
Published-21 Dec, 2023 | 00:10
Updated-02 Aug, 2024 | 20:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Launch is susceptible to an HTML injection vulnerability

HCL Launch is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_launchHCL Launch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37529
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3||LOW
EPSS-0.34% / 25.49%
||
7 Day CHG~0.00%
Published-02 Feb, 2024 | 19:45
Updated-03 Jun, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A cross-site scripting (XSS) vulnerability affects HCL BigFix Platform

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information. This is not the same vulnerability as identified in CVE-2023-37530.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_platformBigFix Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37530
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3||LOW
EPSS-0.34% / 25.49%
||
7 Day CHG~0.00%
Published-02 Feb, 2024 | 20:02
Updated-03 Jun, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A cross-site scripting (XSS) vulnerability affects HCL BigFix Platform

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a webpage trying to retrieve cookie stored information.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_platformBigFix Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37539
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-8.4||HIGH
EPSS-0.31% / 22.31%
||
7 Day CHG~0.00%
Published-06 Jun, 2024 | 22:43
Updated-02 Aug, 2024 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Domino Catalog template is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability

The Domino Catalog template is susceptible to a Stored Cross-Site Scripting (XSS) vulnerability. An attacker with the ability to edit documents in the catalog application/database created from this template can embed a cross site scripting attack. The attack would be activated by an end user clicking it.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dominoDomino Serverdomino
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37523
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.6||MEDIUM
EPSS-0.39% / 31.21%
||
7 Day CHG~0.00%
Published-16 Jan, 2024 | 17:33
Updated-03 Jun, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix OSD Bare Metal Server WebUI is affected by missing or insecure tags

Missing or insecure tags in the HCL BigFix Bare OSD Metal Server WebUI version 311.19 or lower could allow an attacker to execute a malicious script on the user's browser.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_bare_osd_metal_server_webuiHCL BigFix OSD Bare Metal Server WebUIbigfix_bare_osd_metal_server_webui
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-37531
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-3.3||LOW
EPSS-0.36% / 27.91%
||
7 Day CHG~0.00%
Published-02 Feb, 2024 | 20:07
Updated-03 Jun, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
A cross-site scripting (XSS) vulnerability affects HCL BigFix Platform

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a form field of a webpage by a user with privileged access.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_platformBigFix Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28017
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.4||MEDIUM
EPSS-0.41% / 33.28%
||
7 Day CHG~0.00%
Published-07 Dec, 2023 | 04:25
Updated-02 Dec, 2024 | 14:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Connections is vulnerable to cross-site scripting

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user after visiting the vulnerable URL which leads to executing malicious script code. This may let the attacker steal cookie-based authentication credentials and comprise a user's account then launch other attacks.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-connectionsHCL Connections
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28014
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.6||MEDIUM
EPSS-0.22% / 12.06%
||
7 Day CHG~0.00%
Published-26 Jul, 2023 | 23:31
Updated-15 Oct, 2024 | 15:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Mobile can be affected by a cross-site scripting (XSS) vulnerability

HCL BigFix Mobile is vulnerable to a cross-site scripting attack. An authenticated attacker could inject malicious scripts into the application.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_mobileHCL BigFix Mobile
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-28025
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.6||MEDIUM
EPSS-0.31% / 23.16%
||
7 Day CHG~0.00%
Published-21 Dec, 2023 | 00:32
Updated-02 Aug, 2024 | 12:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An HTML injection vulnerability can affect HCL BigFix Mobile / Modern Client Management

Due to this vulnerability, the Master operator could potentially incorporate an SVG tag into HTML, leading to an alert pop-up displaying a cookie. To mitigate stored XSS vulnerabilities, a preventive measure involves thoroughly sanitizing and validating all user inputs before they are processed and stored in the server storage.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_modern_client_managementHCL BigFix Mobile / Modern Client Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-27781
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.6||MEDIUM
EPSS-0.41% / 32.77%
||
7 Day CHG~0.00%
Published-27 May, 2022 | 16:15
Updated-16 Sep, 2024 | 23:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Mobile / Modern Client Management is vulnerable to stored cross-site scripting

The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_mobilemodern_client_managementHCL BigFix Mobile / Modern Client Management
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2021-27778
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.9||MEDIUM
EPSS-0.35% / 27.19%
||
7 Day CHG~0.00%
Published-31 May, 2022 | 23:50
Updated-17 Sep, 2024 | 00:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Traveler is susceptible to a cross-site scripting vulnerability which could allow an attacker to execute a malicious script to access sensitive information.

HCL Traveler is vulnerable to a cross-site scripting (XSS) caused by improper validation of the Name parameter for Approved Applications in the Traveler administration web pages. An attacker could exploit this vulnerability to execute a malicious script to access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-travelerHCL Traveler
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-21788
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.4||MEDIUM
EPSS-0.16% / 5.92%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 08:44
Updated-19 Mar, 2026 | 18:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Connections is vulnerable to cross-site scripting (XSS)

HCL Connections is vulnerable to a cross-site scripting attack where an attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user which leads to executing malicious script code.  This may allow the attacker steal cookie-based authentication credentials and comprise user's account then launch other attacks.

Action-Not Available
Vendor-HCLSoftwareHCL Technologies Ltd.
Product-connectionsConnections
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-4388
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.8||MEDIUM
EPSS-0.52% / 40.52%
||
7 Day CHG~0.00%
Published-18 Dec, 2019 | 12:57
Updated-04 Aug, 2024 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HCL AppScan Source 9.0.3.13 and earlier is susceptible to cross-site scripting (XSS) attacks by allowing users to embed arbitrary JavaScript code in the Web UI.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-appscan_sourceAppScan Source
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-44759
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.6||MEDIUM
EPSS-0.18% / 7.92%
||
7 Day CHG~0.00%
Published-24 Apr, 2025 | 20:38
Updated-17 Nov, 2025 | 21:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Leap is affected by Cross-site scripting (XSS)

Improper sanitization of SVG files in HCL Leap allows client-side script injection in deployed applications.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_leapHCL Leap
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-4409
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.4||MEDIUM
EPSS-0.52% / 40.41%
||
7 Day CHG~0.00%
Published-18 Oct, 2019 | 19:28
Updated-04 Aug, 2024 | 19:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HCL Traveler versions 9.x and earlier are susceptible to cross-site scripting attacks. On the Problem Report page of the Traveler servlet pages, there is a field to specify a file attachment to provide additional problem details. An invalid file name returns an error message that includes the entered file name. If the file name is not escaped in the returned error page, it could expose a cross-site scripting (XSS) vulnerability.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-travelerHCL Traveler
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-42452
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.6||MEDIUM
EPSS-0.34% / 26.10%
||
7 Day CHG~0.00%
Published-30 Mar, 2023 | 20:37
Updated-12 Feb, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HCL Launch is vulnerable to HTML injection.  HTML code is stored and included without being sanitized. This can lead to further attacks such as XSS and Open Redirections.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_launchHCL Launch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-62326
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.1||MEDIUM
EPSS-0.15% / 4.91%
||
7 Day CHG~0.00%
Published-20 Feb, 2026 | 20:01
Updated-24 Feb, 2026 | 20:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Digital Experience is susceptible to stored cross-site scripting (XSS)

HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit.

Action-Not Available
Vendor-HCLSoftwareHCL Technologies Ltd.
Product-digital_experienceDigital Experience
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-63401
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-5.5||MEDIUM
EPSS-0.40% / 31.85%
||
7 Day CHG+0.01%
Published-03 Dec, 2025 | 00:00
Updated-18 Dec, 2025 | 20:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross Site Scripting vulnerability in HCL Technologies Limited HCLTech DRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via missing directives

Action-Not Available
Vendor-n/aHCL Technologies Ltd.
Product-dragonn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-30115
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-6.3||MEDIUM
EPSS-0.20% / 9.56%
||
7 Day CHG~0.00%
Published-30 Apr, 2025 | 21:14
Updated-04 Nov, 2025 | 01:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Domino Volt and Domino Leap are affected by a cross-site scripting (XSS) vulnerability

Insufficient sanitization policy in HCL Leap allows client-side script injection in the deployed application through the HTML widget.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-domino_leapHCL Domino Leap
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-52653
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-7.6||HIGH
EPSS-0.24% / 15.24%
||
7 Day CHG+0.01%
Published-03 Oct, 2025 | 17:59
Updated-08 Oct, 2025 | 16:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Cross Site Scripting vulnerability in the web application

HCL MyXalytics product is affected by Cross Site Scripting vulnerability in the web application. This can allow the execution of unauthorized scripts, potentially resulting in unauthorized actions or access.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-dryice_myxalyticsHCL MyXalytics
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-52620
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.61%
||
7 Day CHG~0.00%
Published-15 Aug, 2025 | 22:47
Updated-29 Oct, 2025 | 20:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability

HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. The image upload functionality inadequately validated the submitted image format.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_saasBigFix SaaS Remediate
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31994
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 6.22%
||
7 Day CHG~0.00%
Published-13 Oct, 2025 | 03:59
Updated-14 Oct, 2025 | 20:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Unica Campaign is vulnerable to Reflected Cross-Site Scripting (XSS)

HCL Unica Campaign 12.1.10 is vulnerable to Reflected Cross-Site Scripting (XSS) where an attacker injects malicious script into an HTTP request, which is then reflected unsafely in the server's immediate response to the victim's browser, executing the script as if it originated from the trusted website.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-Unica Campaign
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-31988
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.9||MEDIUM
EPSS-0.22% / 12.96%
||
7 Day CHG~0.00%
Published-19 Aug, 2025 | 18:12
Updated-21 Aug, 2025 | 18:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Digital Experience is susceptible to cross site scripting (XSS)

HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-digital_experienceDigital Experience
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-42210
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-7.6||HIGH
EPSS-0.17% / 6.64%
||
7 Day CHG~0.00%
Published-19 Mar, 2026 | 07:32
Updated-23 Mar, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Unica Marketing Operations v12.1.8 and lower is affected by a Stored cross-site scripting (XSS) vulnerability

A Stored cross-site scripting (XSS) vulnerability affects HCL Unica Marketing Operations v12.1.8 and lower.  Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

Action-Not Available
Vendor-HCLSoftwareHCL Technologies Ltd.
Product-unicaUnica Marketing Operations (Plan)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4082
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.4||MEDIUM
EPSS-0.66% / 47.09%
||
7 Day CHG~0.00%
Published-05 Mar, 2020 | 18:45
Updated-04 Aug, 2024 | 07:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The HCL Connections 5.5 help system is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-connections"HCL Connections"
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4104
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.4||MEDIUM
EPSS-0.52% / 40.42%
||
7 Day CHG~0.00%
Published-17 Jul, 2020 | 20:46
Updated-04 Aug, 2024 | 07:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HCL BigFix WebUI is vulnerable to stored cross-site scripting (XSS) within the Apps->Software module. An attacker can use XSS to send a malicious script to an unsuspecting user. This affects all versions prior to latest releases as specified in https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0080855&sys_kb_id=971d99ed1b8ed01c086dcbfc0a4bcb6a.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_webuiHCL BigFix WebUI
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-4084
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.4||MEDIUM
EPSS-0.52% / 40.42%
||
7 Day CHG~0.00%
Published-09 Mar, 2020 | 16:42
Updated-04 Aug, 2024 | 07:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HCL Connections v5.5, v6.0, and v6.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-connectionsHCL Connections
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-4090
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.4||MEDIUM
EPSS-0.54% / 41.28%
||
7 Day CHG~0.00%
Published-17 Jul, 2020 | 19:09
Updated-04 Aug, 2024 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

"HCL Campaign is vulnerable to cross-site scripting when a user provides XSS scripts in Campaign Description field."

Action-Not Available
Vendor-n/aHCL Technologies Ltd.
Product-marketing_campaign"HCL Campaign"
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-4091
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-5.4||MEDIUM
EPSS-0.52% / 40.42%
||
7 Day CHG~0.00%
Published-17 Jul, 2020 | 19:07
Updated-04 Aug, 2024 | 19:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

"HCL Marketing Platform is vulnerable to cross-site scripting during addition of new users and also while searching for users in Dashboard, potentially giving an attacker ability to inject malicious code into the system. "

Action-Not Available
Vendor-n/aHCL Technologies Ltd.
Product-marketing_campaign"HCL Marketing Platform"
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-25247
Matching Score-4
Assigner-Apache Software Foundation
ShareView Details
Matching Score-4
Assigner-Apache Software Foundation
CVSS Score-6.1||MEDIUM
EPSS-0.62% / 45.43%
||
7 Day CHG~0.00%
Published-10 Feb, 2025 | 11:16
Updated-14 Jul, 2025 | 13:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Apache Felix Webconsole: XSS in services console

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Felix Webconsole. This issue affects Apache Felix Webconsole 4.x up to 4.9.8 and 5.x up to 5.0.8. Users are recommended to upgrade to version 4.9.10 or 5.0.10 or higher, which fixes the issue.

Action-Not Available
Vendor-The Apache Software Foundation
Product-felix_webconsoleApache Felix Webconsole
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-16414
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.57% / 72.30%
||
7 Day CHG~0.00%
Published-30 Sep, 2019 | 12:10
Updated-05 Aug, 2024 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A DOM based XSS in GFI Kerio Control v9.3.0 allows embedding of malicious code and manipulating the login page to send back a victim's cleartext credentials to an attacker via a login/?reason=failure&NTLM= URI.

Action-Not Available
Vendor-gfin/a
Product-kerio_controln/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-25939
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-0.25% / 16.66%
||
7 Day CHG~0.00%
Published-03 Mar, 2025 | 00:00
Updated-30 Dec, 2025 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Reprise License Manager 14.2 is vulnerable to reflected cross-site scripting in /goform/activate_process via the akey parameter.

Action-Not Available
Vendor-reprisesoftwaren/a
Product-reprise_license_managern/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43668
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-6.1||MEDIUM
EPSS-0.36% / 27.68%
||
7 Day CHG~0.00%
Published-07 Dec, 2022 | 00:00
Updated-23 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Typora versions prior to 1.4.4 fails to properly neutralize JavaScript code, which may result in executing JavaScript code contained in the file when opening a file with the affected product.

Action-Not Available
Vendor-typoraTypora
Product-typoraTypora
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-8656
Matching Score-4
Assigner-Snyk
ShareView Details
Matching Score-4
Assigner-Snyk
CVSS Score-5.1||MEDIUM
EPSS-0.19% / 8.98%
||
7 Day CHG~0.00%
Published-16 May, 2026 | 05:00
Updated-19 May, 2026 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM, attacker-controlled HTML can be interpreted by the browser, resulting in XSS.

Action-Not Available
Vendor-n/a
Product-jsondiffpatch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43556
Matching Score-4
Assigner-HackerOne
ShareView Details
Matching Score-4
Assigner-HackerOne
CVSS Score-6.1||MEDIUM
EPSS-0.61% / 45.11%
||
7 Day CHG~0.00%
Published-05 Dec, 2022 | 00:00
Updated-24 Apr, 2025 | 14:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N Thanks @_akbar_jafarli_ for reporting. Remediate by updating to Concrete CMS 8.5.10 and Concrete CMS 9.1.3.

Action-Not Available
Vendor-concretecmsn/a
Product-concrete_cmshttps://github.com/concretecms/concretecms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-43527
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-6.1||MEDIUM
EPSS-0.46% / 36.78%
||
7 Day CHG~0.00%
Published-03 Jan, 2023 | 19:39
Updated-10 Apr, 2025 | 17:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple vulnerabilities within the web-based management interface of Aruba EdgeConnect Enterprise Orchestrator could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface in Aruba EdgeConnect Enterprise Orchestration Software version(s): Aruba EdgeConnect Enterprise Orchestrator (on-premises), Aruba EdgeConnect Enterprise Orchestrator-as-a-Service, Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators - Orchestrator 9.2.1.40179 and below, - Orchestrator 9.1.4.40436 and below, - Orchestrator 9.0.7.40110 and below, - Orchestrator 8.10.23.40015 and below, - Any older branches of Orchestrator not specifically mentioned.

Action-Not Available
Vendor-Hewlett Packard Enterprise (HPE)Aruba Networks
Product-aruba_edgeconnect_enterprise_orchestratorAruba EdgeConnect Enterprise Orchestration Software
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-6367
Matching Score-4
Assigner-Drupal.org
ShareView Details
Matching Score-4
Assigner-Drupal.org
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 10.13%
||
7 Day CHG~0.00%
Published-19 May, 2026 | 22:28
Updated-22 Jun, 2026 | 15:07
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS). This issue affects Drupal core: from 11.3.0 before 11.3.7.

Action-Not Available
Vendor-The Drupal Association
Product-drupalDrupal core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-25296
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.1||MEDIUM
EPSS-1.78% / 75.53%
||
7 Day CHG~0.00%
Published-14 Feb, 2025 | 19:24
Updated-25 Aug, 2025 | 01:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Label Studio allows Cross-Site Scripting (XSS) via GET request to `/projects/upload-example` endpoint

Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's `/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label_config` query parameter. By crafting a specially formatted XML label config with inline task data containing malicious HTML/JavaScript, an attacker can achieve Cross-Site Scripting (XSS). While the application has a Content Security Policy (CSP), it is only set in report-only mode, making it ineffective at preventing script execution. The vulnerability exists because the upload-example endpoint renders user-provided HTML content without proper sanitization on a GET request. This allows attackers to inject and execute arbitrary JavaScript in victims' browsers by getting them to visit a maliciously crafted URL. This is considered vulnerable because it enables attackers to execute JavaScript in victims' contexts, potentially allowing theft of sensitive data, session hijacking, or other malicious actions. Version 1.16.0 contains a patch for the issue.

Action-Not Available
Vendor-humansignalHumanSignal
Product-label_studiolabel-studio
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-17229
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-6.1||MEDIUM
EPSS-1.36% / 68.44%
||
7 Day CHG~0.00%
Published-24 Feb, 2020 | 18:25
Updated-05 Aug, 2024 | 01:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

includes/options.php in the motors-car-dealership-classified-listings (aka Motors - Car Dealer & Classified Ads) plugin through 1.4.0 for WordPress has multiple stored XSS issues.

Action-Not Available
Vendor-stylemixthemesn/a
Product-motors_-_car_dealer\,_classifieds_\&_listingn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • 4
  • ...
  • 211
  • 212
  • Next
Details not found