By vendor
Hcltech vulnerabilities
Known CVEs affecting Hcltech products, prioritized by severity, with SEC.co remediation and detection guidance.
5 published vulnerabilities
- CVE-2025-52612HIGH 7.1
HCL iControl contains a vulnerability that combines CSV injection with reflected cross-site scripting (XSS) in its export function. An authenticated attacker can craft malicious input that, when a user interacts with exported CSV content or follows a specially crafted link, executes arbitrary JavaScript in the victim's browser session. The vulnerability stems from inadequate input validation and sanitization, allowing attackers to inject both CSV formulas and script payloads.
- CVE-2025-52606MEDIUM 4.3
HCL iControl contains a weakness in how it validates user input during its security architecture implementation. The application fails to properly check that incoming data matches the expected type before processing it, allowing an authenticated attacker to submit malformed input that the system does not adequately verify. This can lead to unintended modifications of application state or data.
- CVE-2025-52609LOW 3.7
HCL iControl is missing HTTP security headers that would instruct modern web browsers to block cross-site scripting (XSS) attacks. Without these headers—such as Content-Security-Policy or X-XSS-Protection—the application relies on older browser XSS filters that are inconsistently implemented and increasingly deprecated. An attacker could craft malicious input that, when processed by iControl, gets reflected in responses without proper sanitization, potentially allowing script execution in users' browsers.
- CVE-2025-52608LOW 3.1
HCL iControl contains a cookie security misconfiguration that leaves session identifiers and authentication tokens vulnerable to interception and cross-site request forgery attacks. The vulnerability stems from the absence of the Secure and SameSite cookie attributes, combined with an overly permissive cookie path set to root. While the immediate risk is moderate, this configuration flaw can enable attackers to hijack user sessions or trick authenticated users into performing unintended actions.
- CVE-2025-52611LOW 3.1
HCL iControl v4.0.0 contains a vulnerability where the application crashes and exposes internal error messages, including stack traces, when certain code paths are triggered. The underlying cause is a programming error where the application attempts to access a property (the 'dashboard key') from an object that hasn't been properly initialized or is missing entirely. While an attacker would need valid login credentials to trigger this issue, the exposure of stack trace information could help them understand the application's internal structure and identify further attack vectors.