Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-37526

Summary
Assigner-HCL
Assigner Org ID-1e47fe04-f25f-42fa-b674-36de2c5e3cfc
Published At-10 May, 2024 | 17:16
Updated At-02 Aug, 2024 | 17:16
Rejected At-
Credits

HCL DRYiCE Lucy v9 (now AEX) is affected by a Cross Origin Resource Sharing (CORS) Vulnerability

HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning attacks.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:HCL
Assigner Org ID:1e47fe04-f25f-42fa-b674-36de2c5e3cfc
Published At:10 May, 2024 | 17:16
Updated At:02 Aug, 2024 | 17:16
Rejected At:
▼CVE Numbering Authority (CNA)
HCL DRYiCE Lucy v9 (now AEX) is affected by a Cross Origin Resource Sharing (CORS) Vulnerability

HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning attacks.

Affected Products
Vendor
HCL Technologies Ltd.HCL Software
Product
DRYiCE Lucy
Default Status
unaffected
Versions
Affected
  • v9
Metrics
VersionBase scoreBase severityVector
3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0113032
N/A
Hyperlink: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0113032
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Vendor
HCL Technologies Ltd.hcltech
Product
dryice_aex
CPEs
  • cpe:2.3:a:hcltech:dryice_aex:9:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • 9
Problem Types
TypeCWE IDDescription
CWECWE-942CWE-942 Permissive Cross-domain Policy with Untrusted Domains
Type: CWE
CWE ID: CWE-942
Description: CWE-942 Permissive Cross-domain Policy with Untrusted Domains
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0113032
x_transferred
Hyperlink: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0113032
Resource:
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@hcl.com
Published At:14 May, 2024 | 13:20
Updated At:03 Jul, 2024 | 01:40

HCL DRYiCE Lucy (now AEX) is affected by a Cross Origin Resource Sharing (CORS) vulnerability. The mobile app is vulnerable to a CORS misconfiguration which could potentially allow unauthorized access to the application resources from any web domain and enable cache poisoning attacks.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-942Secondary134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE ID: CWE-942
Type: Secondary
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0113032psirt@hcl.com
N/A
Hyperlink: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0113032
Source: psirt@hcl.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

7Records found
CVE-2022-44758
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-6.5||MEDIUM
EPSS-0.11% / 29.34%
||
7 Day CHG~0.00%
Published-11 Oct, 2023 | 06:00
Updated-18 Sep, 2024 | 20:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Insights for Vulnerability Remediation (IVR) is vulnerable to improper credential handling

BigFix Insights/IVR fixlet uses improper credential handling within certain fixlet content. An attacker can gain access to information that is not explicitly authorized.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_insights_for_vulnerability_remediationBigFix Insights for Vulnerability Remediation
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-44757
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-6.5||MEDIUM
EPSS-0.10% / 27.77%
||
7 Day CHG~0.00%
Published-11 Oct, 2023 | 06:13
Updated-18 Sep, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL BigFix Insights for Vulnerability Remediation (IVR) is vulnerable to weak cryptography

BigFix Insights for Vulnerability Remediation (IVR) uses weak cryptography that can lead to credential exposure. An attacker could gain access to sensitive information, modify data in unexpected ways, etc.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-bigfix_insights_for_vulnerability_remediationBigFix Insights for Vulnerability Remediation
CWE ID-CWE-522
Insufficiently Protected Credentials
CVE-2022-42446
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-6.5||MEDIUM
EPSS-0.14% / 35.14%
||
7 Day CHG+0.03%
Published-30 Nov, 2022 | 22:54
Updated-24 Apr, 2025 | 15:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL Sametime 12.0 and 12.0FP1 anonymous users have directory lookup access

Starting with Sametime 12, anonymous users are enabled by default. After logging in as an anonymous user, one has the ability to browse the User Directory and potentially create chats with internal users.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-sametimeHCL Sametime
CWE ID-CWE-276
Incorrect Default Permissions
CVE-2023-37504
Matching Score-8
Assigner-HCL Software
ShareView Details
Matching Score-8
Assigner-HCL Software
CVSS Score-7.1||HIGH
EPSS-0.09% / 26.99%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 00:09
Updated-12 Sep, 2024 | 18:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
An insufficient session expiration vulnerability affects HCL Compass

HCL Compass is vulnerable to failure to invalidate sessions. The application does not invalidate authenticated sessions when the log out functionality is called.  If the session identifier can be discovered, it could be replayed to the application and used to impersonate the user.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-hcl_compassHCL Compasshcl_compass
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2021-27786
Matching Score-6
Assigner-HCL Software
ShareView Details
Matching Score-6
Assigner-HCL Software
CVSS Score-4.6||MEDIUM
EPSS-0.19% / 40.56%
||
7 Day CHG~0.00%
Published-07 Jun, 2022 | 17:50
Updated-16 Sep, 2024 | 21:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HCL OneTest Server is vulnerable to Cross Origin Resource Sharing: Arbitrary Origin Trusted

Cross-origin resource sharing (CORS) enables browsers to perform cross domain requests in a controlled manner. This request has an Origin header that identifies the domain that is making the initial request and defines the protocol between a browser and server to see if the request is allowed. An attacker can take advantage of this and possibly carry out privileged actions and access sensitive information when the Access-Control-Allow-Credentials is enabled.

Action-Not Available
Vendor-HCL Technologies Ltd.
Product-onetest_serverHCL OneTest Server
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
CWE ID-CWE-697
Incorrect Comparison
CVE-2024-23823
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.2||MEDIUM
EPSS-0.20% / 41.85%
||
7 Day CHG~0.00%
Published-14 Mar, 2024 | 18:47
Updated-06 Aug, 2025 | 14:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CORS settings overly permissive in vantage6

vantage6 is an open source framework built to enable, manage and deploy privacy enhancing technologies like Federated Learning and Multi-Party Computation. The vantage6 server has no restrictions on CORS settings. It should be possible for people to set the allowed origins of the server. The impact is limited because v6 does not use session cookies. This issue has been addressed in commit `70bb4e1d8` and is expected to ship in subsequent releases. Users are advised to upgrade as soon as a new release is available. There are no known workarounds for this vulnerability.

Action-Not Available
Vendor-vantage6vantage6
Product-vantage6vantage6
CWE ID-CWE-863
Incorrect Authorization
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
CVE-2024-6449
Matching Score-4
Assigner-CERT.PL
ShareView Details
Matching Score-4
Assigner-CERT.PL
CVSS Score-5.3||MEDIUM
EPSS-0.31% / 53.30%
||
7 Day CHG~0.00%
Published-28 Aug, 2024 | 11:49
Updated-09 Jan, 2025 | 17:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Arbitrary cross-domain file inclusion in HyperView Geoportal Toolkit

HyperView Geoportal Toolkit in versions lower than 8.5.0 does not restrict cross-domain requests when fetching remote content pointed by one of GET request parameters. An unauthenticated remote attacker can prepare links, which upon opening will load scripts from a remote location controlled by the attacker and execute them in the user space. By manipulating this parameter it is also possible to enumerate some of the devices in Local Area Network in which the server resides.

Action-Not Available
Vendor-hyperviewHyperView
Product-geoportal_toolkitGeoportal Toolkit
CWE ID-CWE-942
Permissive Cross-domain Policy with Untrusted Domains
Details not found