HCL Launch could allow an authenticated user to obtain sensitive information in some instances due to improper security checking.

HCL Commerce's Remote Store server could allow a local attacker to obtain sensitive personal information. The vulnerability requires the victim to first perform a particular operation on the website.

BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page.

BigFix Web Reports authorized users may see SMTP credentials in clear text.

HCL Launch may store certain data for recurring activities in a plain text format.

HCL Launch stores user credentials in plain clear text which can be read by a local user.

Cross-origin resource sharing (CORS) enables browsers to perform cross domain requests in a controlled manner. This request has an Origin header that identifies the domain that is making the initial request and defines the protocol between a browser and server to see if the request is allowed. An attacker can take advantage of this and possibly carry out privileged actions and access sensitive information when the Access-Control-Allow-Credentials is enabled.

HCL Traveler is vulnerable to a cross-site scripting (XSS) caused by improper validation of the Name parameter for Approved Applications in the Traveler administration web pages. An attacker could exploit this vulnerability to execute a malicious script to access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.

User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed.

The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.