CVE-2024-30127
Missing "no cache" headers in HCL Leap permits sensitive data to be cached.
CVE-2023-37516
Missing "no cache" headers in HCL Leap permits user directory information to be cached.
CVE-2022-44760
Unsafe default file type filter policy in HCL
Leap allows execution of unsafe JavaScript in deployed applications.
CVE-2022-44759
Improper sanitization of SVG files in HCL Leap
allows client-side script injection in deployed applications.
CVE-2024-30147
Multiple vectors in HCL Leap allow client-side
script injection in the authoring environment and deployed applications.
CVE-2024-30114
Insufficient sanitization in HCL Leap allows
client-side script injection in the authoring environment.
CVE-2024-30113
Insufficient sanitization policy in HCL Leap
allows client-side script injection in the deployed application through the
HTML widget.
CVE-2023-45720
Insufficient default configuration in HCL Leap
allows anonymous access to directory information.
CVE-2023-37534
Insufficient URI protocol whitelist in HCL Leap
allows script injection through query parameters.
CVE-2024-30148
Improper access control of endpoint in HCL Leap
allows certain admin users to import applications from the
server's filesystem.