Security bulletins

The following HCL Commerce security bulletins contain the details of security vulnerabilities that affect HCL Commerce or its companion software. The following details provide security risk assessment information to help you assess if a particular issue might impact your organization.

To avoid preventable security issues, it is recommended that you stay up to date on the most current maintenance options for your products.

Important: For up-to-date bulletins, subscribe to the following services:
Date of publication CVE(s) Vulnerability Affected software
November 1, 2024 CVE-2024-37532, CVE-2023-51775, CVE-2024-35154, CVE-2024-22354, CVE-2023-50313, CVE-2024-25026, CVE-2024-35153, CVE-2024-22329, CVE-2024-38474, CVE-2024-38475, CVE-2024-38477, CVE-2024-24795, CVE-2023-38709, CVE-2024-39573, CVE-2024-40898, CVE-2024-40725, CVE-2024-38472, CVE-2024-38476, CVE-2024-38473 Multiple vulnerabilities in IBM WebSphere Application Server, IBM WebSphere Application Server Liberty and IBM HTTP Server affect HCL Commerce WebSphere Application Server, WebSphere Application Server V8.5.5 Liberty, and IBM HTTP Server

included in:

HCL Commerce versions 9.1.0.0 - 9.1.15.0
November 1, 2024 CVE-2023-22081, CVE-2023-22067, CVE-2023-5676, CVE-2024-20918, CVE-2024-20952, CVE-2024-20921, CVE-2024-20945, CVE-2023-33850, CVE-2024-21011, CVE-2023-38264 Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty IBM Java SDK

included in:

HCL Commerce versions 9.1.0.0 - 9.1.15.0
November 1, 2024 CVE-2024-27268, CVE-2023-50312, CVE-2024-27270 Multiple vulnerabilities in IBM WebSphere Application Server Liberty affect HCL Commerce WebSphere Application Server V8.5.5 Liberty

included in:

HCL Commerce versions 9.1.0.0 - 9.1.15.0
August 30, 2024 CVE-2023-6378, CVE-2023-6481, CVE-2024-37890, CVE-2023-46589, CVE-2024-37890, CVE-2024-4067, CVE-2024-4068, CVE-2024-38357, CVE-2024-38356 Multiple vulnerabilities in open source components affect HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.15.0
May 20, 2024 CVE-2018-25032, CVE-2002-0059, CVE-2022-37434, CVE-2023-27859, CVE-2023-38003, CVE-2023-38727, CVE-2023-43020, CVE-2023-45178, CVE-2023-47158, CVE-2023-47145, CVE-2023-47701, CVE-2023-47746, CVE-2023-40687, CVE-2023-40692, CVE-2023-47747, CVE-2023-22081, CVE-2023-5676, CVE-2024-20952, CVE-2023-33850, CVE-2023-29258, CVE-2023-46167, CVE-2023-47141, CVE-2023-45193, CVE-2023-45178, CVE-2023-50308, CVE-2023-47152, CVE-2023-38729, CVE-2024-27254, CVE-2012-2677, CVE-2024-25046, CVE-2024-25030, CVE-2024-22360, CVE-2023-52296 Multiple vulnerabilities in IBM Db2 affect HCL Commerce IBM Db2 Database
May 13, 2024 CVE-2024-23576 Potential denial of service and information disclosure vulnerability in HCL Commerce HCL Commerce versions 9.1.12.0 and 9.1.13.0
May 1, 2024 CVE-2023-32342, CVE-2023-27554, CVE-2023-24966, CVE-2022-39161 Multiple vulnerabilities in IBM WebSphere Application Server and IBM HTTP Server affect HCL Commerce WebSphere Application Server and IBM HTTP Server

included in:

HCL Commerce versions 9.1.0.0 - 9.1.12.0
May 1, 2024 CVE-2022-40609, CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21968, CVE-2023-21937, CVE-2023-21938, CVE-2023-35890, CVE-2023-22, CVE-2023-22049045, CVE-2023-22049 Multiple vulnerabilities in IBM WebSphere Application Server and IBM Java SDK affect HCL Commerce WebSphere Application Server and IBM Java SDK

included in:

HCL Commerce versions 9.1.0.0 - 9.1.13.0
March 6, 2024 CVE-2023-44487, CVE-2023-46158 Multiple vulnerabilities in IBM WebSphere Application Server Liberty affect HCL Commerce WebSphere Application Server V8.5.5 Liberty

included in:

HCL Commerce versions 9.1.0.0 - 9.1.14
December 14, 2023 CVE-2023-50164, CVE-2023-41835 A vulnerability in Apache Struts 2 affects HCL Commerce Apache Struts 2

included in:

HCL Commerce versions 9.1.0 - 9.1.15.0
December 13, 2023 CVE-2023-44487, CVE-2023-45648, CVE-2023-42795 Multiple vulnerabilities in Apache Tomcat affect HCL Commerce Apache Tomcat

included in:

HCL Commerce versions 9.1.12 - 9.1.14
December 13, 2023 CVE-2023-45818, CVE-2023-48219 Multiple vulnerabilities in TinyMCE affect HCL Commerce TinyMCE

included in:

HCL Commerce versions 9.1.14.0 - 9.1.14.1
December 13, 2023 CVE-2023-5072 A vulnerability in JSON-Java affects HCL Commerce JSON-Java

included in:

HCL Commerce versions 9.1.0 - 9.1.14
November 27, 2023 CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2022-31160 Multiple vulnerabilities in jQuery-UI affect HCL Commerce jQuery

included in:

HCL Commerce versions 9.1.0.0 - 9.1.11.0
November 7, 2023 CVE-2016-3012, CVE-2020-11022, CVE-2012-6708, CVE-2019-11358, CVE-2015-9251, CVE-2020-11023, CVE-2018-1838, CVE-2015-5041 Multiple vulnerabilities in IBM Security Directory Suite affect HCL Commerce IBM Security Directory Suite

included in:

HCL Commerce version 9.1
October 23, 2023 CVE-2023-37532 A path traversal vulnerability affects HCL Commerce HCL Commerce versions 9.1.8.0 - 9.1.13.2
September 19, 2023 WS-2021-0646 A vulnerability in Apache Lucene affects HCL Commerce with Elasticsearch Apache Lucene

included in:

HCL Commerce versions 9.1.0.0 - 9.1.13.2
July 20, 2023 CVE-2023-3446, CVE-2023-2976, WS-2021-0646 Multiple vulnerabilities in open source libraries affect HCL Commerce with Elasticsearch HCL Commerce versions 9.1.0.0 - 9.1.13.1
June 23, 2023 CVE-2023-24998, CVE-2023-26283 Multiple vulnerabilities in IBM WebSphere Application Server affect HCL Commerce WebSphere Application Server

included in:

HCL Commerce versions 9.1.0.0 - 9.1.12.0
June 23, 2023 CVE-2023-30441, CVE-2023-25690 Multiple vulnerabilities in IBM Java SDK and IBM HTTP Server included with IBM WebSphere Application Server affect HCL Commerce IBM Java SDK and IBM HTTP Server

included in:

HCL Commerce versions 9.1.0.0 - 9.1.12.0
June 5, 2023 CVE-2023-23477, CVE-2022-22477, CVE-2022-38712, CVE-2022-34336, CVE-2022-40750, CVE-2022-34165, CVE-2022-35282, CVE-2022-22473 Multiple vulnerabilities in WebSphere Application Server affect HCL Commerce WebSphere Application Server

included in:

HCL Commerce versions 9.1.0.0 - 9.1.11.0
June 5, 2023 CVE-2022-24839, CVE-2022-22476 Multiple vulnerabilities in WebSphere Application Server Liberty affect HCL Commerce WebSphere Application Server V8.5.5 Liberty

included in:

HCL Commerce versions 9.1.0.0 - 9.1.11.0
June 5, 2023 CVE-2022-43680, CVE-2022-37436, CVE-2022-21541, CVE-2021-2163, CVE-2022-21540, CVE-2022-21626, CVE-2017-9233, CVE-2013-0340, CVE-2022-21624 Multiple vulnerabilities in IBM Java SDK and IBM HTTP Server included with WebSphere Application Server affect HCL Commerce IBM HTTP Server and WebSphere Application Server

included in:

HCL Commerce versions 9.1.0.0 - 9.1.11.0
June 5, 2023 CVE-2022-34917 Vulnerabilities in Apache Kafka affect HCL Commerce Apache Kafka

included in:

HCL Commerce versions 9.1.0.0 - 9.1.11.0
April 19, 2023 CVE-2022-40674, CVE-2022-43680, CVE-2022-43930, CVE-2022-43929, CVE-2022-43927 Multiple vulnerabilities in IBM Db2 affect HCL Commerce IBM Db2 Database
November 28, 2022 CVE-2022-22389, CVE-2022-35637, CVE-2022-22483, CVE-2022-22390 Multiple vulnerabilities in IBM Db2 affect HCL Commerce IBM Db2 Database
November 2, 2022 CVE-2022-38656 HCL Commerce, when using Elasticsearch, could be affected by a denial of service vulnerability HCL Commerce versions 9.1.8.0 - 9.1.11.0
September 20, 2022 CVE-2022-26377, CVE-2022-28615, CVE-2022-28614, CVE-2022-29404, CVE-2022-31813, CVE-2022-30556 Multiple vulnerabilities in IBM HTTP Server included with WebSphere Application Server affect HCL Commerce IBM HTTP Server and WebSphere Application Server

included in:

HCL Commerce versions 9.1.0.0 - 9.1.10.0
July 29, 2022 CVE-2021-27785 HCL Commerce could allow a local attacker to obtain sensitive personal information HCL Commerce versions 9.1.0.0 - 9.1.10.0
July 21, 2022 CVE-2021-31805, CVE-2022-24839, CVE-2022-2950 Multiple vulnerabilities in open source components affect HCL Commerce Apache Struts 2, org.cyberneko.html

included in:

HCL Commerce versions 9.1.0.0 - 9.1.10.0
July 21, 2022 CVE-2020-36518 Jackson-databind vulnerability affects HCL Commerce jackson-databind

included in:

HCL Commerce versions 9.1.0.0 - 9.1.10.0
July 21, 2022 CVE-2022-22475, CVE-2021-46708, CVE-2022-22393 Multiple vulnerabilities in WebSphere Application Server Liberty affect HCL Commerce WebSphere Application Server V8.5.5 Liberty

included in:

HCL Commerce versions 9.1.0.0 - 9.1.10.0
July 21, 2022 CVE-2022-22721, CVE-2022-22720, CVE-2022-22365, CVE-2022-22719 Multiple vulnerabilities in IBM HTTP Server and WebSphere Application Server affect HCL Commerce IBM HTTP Server and WebSphere Application Server

included in:

HCL Commerce versions 9.1.0.0 - 9.1.10.0
July 5, 2022 CVE-2022-25315, CVE-2021-35550, CVE-2022-25313, CVE-2022-21340, CVE-2022-25236, CVE-2021-35603, CVE-2022-25235 Multiple vulnerabilities in IBM Java SDK and IBM HTTP Server included with WebSphere Application Server affect HCL Commerce IBM Java SDK and IBM HTTP Server

included in:

HCL Commerce versions 9.1.0.0 - 9.1.9.0
July 5, 2022 CVE-2021-39038 A vulnerability in WebSphere Application Server affects HCL Commerce WebSphere Application Server

included in:

HCL Commerce versions 9.1.0.0 - 9.1.9.0
June 2, 2022 WS-2021-0616, CVE-2021-22096 Multiple vulnerabilities in open source components affect HCL Commerce jackson-databind, Spring Framework

included in:

HCL Commerce versions 9.1.0.0 - 9.1.9.0
April 19, 2022 CVE-2021-41035,CVE-2021-35560, CVE-2021-2388, CVE-2021-35578, CVE-2021-2369, CVE-2021-2432, CVE-2021-2341 Multiple vulnerabilities in IBM Security Directory Suite affect HCL Commerce IBM Security Directory Suite

included in:

HCL Commerce version 9.1
April 19, 2022 CVE-2022-23307, CVE-2022-23437, CVE-2021-22060 Multiple vulnerabilities in open source components affect HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.9.0
April 19, 2022 CVE-2022-0198, CVE-2021-43797, CVE-2022-0235 Multiple vulnerabilities in open source components affect HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.9.0
April 9, 2022 CVE-2021-23450, CVE-2022-23990, CVE-2022-23852, CVE-2022-22822, CVE-2022-22823, CVE-2022-22825, CVE-2021-46143, CVE-2022-22824, CVE-2022-22826, CVE-2022-22827, CVE-2021-45960 Multiple vulnerabilities in IBM HTTP Server and WebSphere Application Server affect HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.9.0
April 5, 2022 CVE-2021-27751 HCL Commerce is affected by Insufficient Session Expiration vulnerability HCL Commerce versions 9.1.0.0 - 9.1.8.0
April 4, 2022 CVE-2021-40438, CVE-2021-45046, CVE-2021-4104, CVE-2021-36090, CVE-2021-38951, CVE-2021-34798, CVE-2021-35517, CVE-2021-35578, CVE-2021-35564, CVE-2021-2369, CVE-2021-39275, CVE-2021-29842 Multiple security vulnerabilities in WebSphere Application Server affect HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.8.0
March 24, 2022 CVE-2022-23307, CVE-2022-23302, CVE-2022-23305 Vulnerability in Apache Log4j 1.2 affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.9.0
March 24, 2022 CVE-2021-37136,CVE-2021-37137 Multiple vulnerabilities in Netty All affect HCL Commerce HCL Commerce versions 9.1.1.0 - 9.1.8.0
March 24, 2022 CVE-2021-3878, CVE-2021-27568, CVE-2021-3869, CVE-2012-0881, CVE-2021-44832, CVE-2021-42550, CVE-2013-4002, CVE-2014-0107, CVE-2009-2625 Multiple vulnerabilities in open source libraries affect HCL Commerce with Elasticsearch HCL Commerce versions 9.1.0.0 - 9.1.8.1
January 20, 2022 CVE-2021-26272 Vulnerability in CKeditor affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.6.0
January 14, 2022 CVE-2021-27750 Session termination vulnerability in HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.6.0
December 16, 2021 CVE-2021-4104 Vulnerability in Apache Log4j 1.2 affects HCL Commerce HCL Commerce version 9.1
December 12, 2021 CVE-2021-44228,CVE-2021-45046, CVE-2021-45105 Multiple vulnerabilities in Apache Log4j 2 affect HCL Commerce HCL Commerce version 9.1
October 14, 2021 CVE-2021-29736 Privilege Escalation vulnerability in WebSphere Application Server affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.7.0
October 11, 2021 CVE-2021-33037 Vulnerability in Apache Tomcat affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.7.0
October 11, 2021 CVE-2021-36373, CVE-2021-36374 Multiple vulnerabilities in Apache Ant affect HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.7.0
September 1, 2021 CVE-2020-5258, CVE-2021-20453, CVE-2021-20454, CVE-2021-26296, CVE-2021-2161, CVE-2015-5262, CVE-2011-1498, CVE-2014-3577, CVE-2012-6153, CVE-2021-29754 Multiple vulnerabilities in WebSphere Application Server affect HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.6.0
September 1, 2021 CVE-2021-31811, CVE-2021-31812 Multiple security vulnerabilities in Apache PDFBox affect HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.6.0
August 11, 2021 CVE-2021-27807, CVE-2021-27906 Multiple vulnerabilities in Apache PDFBox affect HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.6.0
August 11, 2021 CVE-2020-11996, CVE-2020-13934, CVE-2021-25122, CVE-2021-25329, CVE-2021-24122, CVE-2020-1935, CVE-2020-13943 Multiple vulnerabilities in Apache Tomcat affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.6.0
August 11, 2021 CVE-2020-5016 A vulnerability in WebSphere Application Server affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.6.0
July 19, 2021 CVE-2021-27741 XML external entity (XXE) injection vulnerability in HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.5.0
May 11, 2021 CVE-2020-7021, CVE-2020-28491, CVE-2021-21290 Multiple vulnerabilities in Jackson Dataformat, Netty Handler and Elastic Search affect HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.5.0
May 11, 2021 CVE-2021-21290 Information disclosure vulnerability in Netty All library affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.5.0
May 4, 2021 CVE-2020-14797, CVE-2020-4949, CVE-2021-20353, CVE-2021-20354, CVE-2020-2773, CVE-2020-14782, CVE-2020-27221, CVE-2020-14781 Multiple vulnerabilities in WebSphere Application Server affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.5.0
May 4, 2021 CVE-2020-4782, CVE-2020-4576 Multiple vulnerabilities in WebSphere Application Server affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.3.0
May 3, 2021 CVE-2020-17530 Vulnerability in Apache Struts affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.4.0
May 3, 2021 CVE-2020-25649 Multiple vulnerabilities in Jackson Databind affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.4.0
May 3, 2021 CVE-2020-15250 Vulnerability in JUnit4 affects HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.3.0
May 3, 2021 CVE-2020-9281, CVE-2018-17960 Cross-site scripting (XSS) vulnerabilities in CKEditor shipped with HCL Commerce HCL Commerce versions 9.1.0.0 - 9.1.5.0
January 29, 2021 WS-2017-0225 Vulnerability in Swagger UI affects HCL Commerce HCL Commerce version 9.1
January 19, 2021 CVE-2020-14275 Potential denial of service and information disclosure vulnerability in HCL Commerce HCL Commerce versions 9.1.0 - 9.1.4
January 19, 2021 CVE-2020-14274 Information disclosure vulnerability in HCL Commerce HCL Commerce versions 9.1.0 - 9.1.4
November 14, 2020 CVE-2020-2601, CVE-2020-14621, CVE-2020-14581, CVE-2020-14579, CVE-2020-14578, CVE-2020-14577, CVE-2020-2590 Security vulnerabilities in IBM® Java SDK included with WebSphere Application Server affect HCL Commerce IBM® Java SDK included with WebSphere Application Server

included in:

HCL Commerce versions 9.1.0 - 9.1.2
November 14, 2020 CVE-2020-4589, CVE-2020-4643, CVE-2020-4578 Multiple vulnerabilities in WebSphere Application Server affects HCL Commerce WebSphere Application Server

included in:

HCL Commerce versions 9.1.0 - 9.1.2