HCL Traveler generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this information to gain insights into the system's architecture and potentially launch targeted attacks.
HCL Connections contains a user enumeration vulnerability. Certain actions could allow an attacker to determine if the user is valid or not, leading to a possible brute force attack.
BigFix Web Reports authorized users may see SMTP credentials in clear text.
HCL Launch could allow an authenticated user to obtain sensitive information in some instances due to improper security checking.
HCL VersionVault Express exposes administrator credentials.
HCL DRYiCE MyXalytics is impacted by an Improper Access Control (Controller APIs) vulnerability. Certain API endpoints are accessible to Customer Admin Users that can allow access to sensitive information about other users.
HCL DRYiCE MyXalytics is impacted by an information disclosure vulnerability. Certain endpoints within the application disclose detailed file information.
HCL DRYiCE MyXalytics is impacted by an Insecure Direct Object Reference (IDOR) vulnerability. A user can obtain certain details about another user as a result of improper access control.
HCL Connections contains a broken access control vulnerability that may expose sensitive information to unauthorized users in certain scenarios.
HCL AppScan Traffic Recorder fails to adequately neutralize special characters within the filename, potentially allowing it to resolve to a location beyond the restricted directory. Potential exploits can completely disrupt or takeover the application or the computer where the application is running.
HCL Connections is vulnerable to an information disclosure vulnerability, due to an IBM WebSphere Application Server error, which could allow a user to obtain sensitive information they are not entitled to due to the improper handling of request data.
HCL Launch is vulnerable to HTML injection. This vulnerability may allow a user to embed arbitrary HTML tags in the Web UI potentially leading to sensitive information disclosure.
HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of security questions. This could allow an attacker with access to the database to recover some or all encrypted values.
HCL DRYiCE Optibot Reset Station is impacted by insecure encryption of One-Time Passwords (OTPs). This could allow an attacker with access to the database to recover some or all encrypted values.
HCL DevOps Deploy / HCL Launch is vulnerable to sensitive information disclosure vulnerability due to insufficient obfuscation of sensitive values.
If certain App Transport Security (ATS) settings are set in a certain manner, insecure loading of web content can be achieved.
HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper handling of request data.
HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
A permission issue in BigFix WebUI Insights site version 14 allows an authenticated, unprivileged operator to access an administrator page.
HCL Traveler is affected by an internal path disclosure in a Windows application when the application inadvertently reveals internal file paths, in error messages, debug logs, or responses to user requests.
HCL BigFix Modern Client Management (MCM) 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions.
HCL BigFix Mobile 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions.
Insights for Vulnerability Remediation (IVR) is vulnerable to improper input validation. This may lead to information disclosure. This requires privileged access.
Users are able to read group conversations without actively taking part in them. Next to one to one conversations, users are able to start group conversations with multiple users. It was found possible to obtain the contents of these group conversations without being part of it. This could lead to information leakage where confidential information discussed in private groups is read by other users without the users knowledge.
HCL Connections is vulnerable to a sensitive information disclosure vulnerability which could allow a user to obtain sensitive information they are not entitled to, caused by improper rendering of application data.
HCL iAutomate is affected by a sensitive data exposure vulnerability. This issue may allow unauthorized access to sensitive information within the system.
HCL BigFix SM is affected by cryptographic weakness due to weak or outdated encryption algorithms. An attacker with network access could exploit this weakness to decrypt or manipulate encrypted communications under certain conditions.
HCL iAutomate v6.5.1 and v6.5.2 is susceptible to a sensitive information disclosure. An HTTP GET method is used to process a request and includes sensitive information in the query string of that request. An attacker could potentially access information or resources they were not intended to see.
HCL iAutomate includes hardcoded credentials which may result in potential exposure of confidential data if intercepted or accessed by unauthorized parties.
HCL DevOps Deploy / HCL Launch could allow an authenticated user to obtain sensitive information about other users on the system due to missing authorization for a function.
User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed.
HCL BigFix Compliance is vulnerable to the generation of error messages containing sensitive information. Detailed error messages can provide enticement information or expose information about its environment, users, or associated data.
HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks.
HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure. Under certain conditions, error messages disclose sensitive version information about the underlying platform.
HCL Sametime is impacted by the error messages containing sensitive information. An attacker can use this information to launch another, more focused attack.
HCL DRYiCE MyXalytics is impacted by an improper error handling vulnerability. The application returns detailed error messages that can provide an attacker with insight into the application, system, etc.
HCL Unica Centralized Offer Management is vulnerable to poor unhandled exceptions which exposes sensitive information. An attacker can exploit use this information to exploit known vulnerabilities launch targeted attacks, such as remote code execution or denial of service.
User input included in error response, which could be used in a phishing attack.
IBM Security Guardium Key Lifecycle Manager 4.1, 4.1.1, 4.2.0, and 4.2.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
This vulnerability exists in the Wave 2.0 due to improper exception handling for invalid inputs at certain API endpoint. An authenticated remote attacker could exploit this vulnerability by providing invalid inputs for “userId” parameter in the API request leading to generation of error message containing sensitive information on the targeted system.
Umbraco is an ASP.NET CMS. Some endpoints in the Management API can return stack trace information, even when Umbraco is not in debug mode. This vulnerability is fixed in 14.1.2.
A vulnerability was found in Moodle. It is possible for users with the "send message" capability to view other users' names that they may not otherwise have access to via an error message in Messaging. Note: The name returned follows the full name format configured on the site.
Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.
Information Exposure Through an Error Message vulnerability in Hitachi RAID Manager Storage Replication Adapter allows remote authenticated users to gain sensitive information. This issue affects: Hitachi RAID Manager Storage Replication Adapter 02.01.04 versions prior to 02.03.02 on Windows; 02.05.00 versions prior to 02.05.01 on Windows and Docker.
Dell Wyse Management Suite 3.6.1 and below contains Information Disclosure in Devices error pages. An attacker could potentially exploit this vulnerability, leading to the disclosure of certain sensitive information. The attacker may be able to use the exposed information to access and further vulnerability research.
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
openssh_key_parser is an open source Python package providing utilities to parse and pack OpenSSH private and public key files. In versions prior to 0.0.6 if a field of a key is shorter than it is declared to be, the parser raises an error with a message containing the raw field value. An attacker able to modify the declared length of a key's sensitive field can thus expose the raw value of that field. Users are advised to upgrade to version 0.0.6, which no longer includes the raw field value in the error message. There are no known workarounds for this issue.
Certain error messages returned by the application expose internal system details that should not be visible to end users, providing attackers with valuable reconnaissance information (like file paths, database errors, or software versions) that can be used to map the application's internal structure and discover other, more critical vulnerabilities.
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It’s possible for authenticated users to enumerate clusters by name by inspecting error messages. It’s also possible to enumerate the names of projects with project-scoped clusters if you know the names of the clusters. This vulnerability is fixed in 2.11.3, 2.10.12, and 2.9.17.
IBM MQ Console 9.3 LTS and 9.3 CD could disclose could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 292765.