Skip to main content

HCL Connections CVE-2025-15619

| EUVDEUVD-2025-210310 LOW
Improper Access Control (CWE-284)
2026-06-23 HCL GHSA-p83g-vrrg-rq2w
3.5
CVSS 3.1 · Vendor: HCL

Severity by source

Vendor (HCL) PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
vuln.today AI
3.5 LOW

Authenticated low-privilege user required (PR:L), user interaction needed to trigger scenario (UI:R), only limited confidentiality disclosure with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (HCL).

CVSS VectorVendor: HCL

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 16:02 vuln.today

DescriptionCVE.org

HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario.

AnalysisAI

HCL Connections exposes a broken access control flaw that permits a low-privileged, authenticated user to view data they should not be authorized to access, but only under one specific scenario. Classified under CWE-284 (Improper Access Control), the vulnerability requires network access, low privileges, and user interaction, limiting its real-world exploitation surface considerably. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 3.5 reflects a genuinely low-severity finding.

Technical ContextAI

HCL Connections (CPE: cpe:2.3:a:hclsoftware:connections:*:*:*:*:*:*:*:*) is an enterprise social collaboration platform developed by HCL Software, used for internal networking, file sharing, and team collaboration in corporate environments. The root cause class is CWE-284 (Improper Access Control), which describes a failure to correctly enforce authorization checks on a resource. In this instance, a specific code path or scenario fails to verify that the requesting user has the appropriate permission to view certain data, allowing unauthorized data disclosure. The AV:N/AC:L/PR:L/UI:R CVSS vector indicates the flaw is reachable over the network but requires the attacker to be authenticated (low privileges) and that some form of user interaction is involved in triggering the condition.

RemediationAI

Consult HCL's official advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130163 (KB0130163) for the patched release version; a vendor-released patch is referenced but the exact fix version is not independently confirmed from available data. If a patch cannot be applied immediately, consider restricting access to HCL Connections to trusted internal networks or VPN-only access, which limits the attack surface given the AV:N vector. Audit user roles and permissions within HCL Connections to ensure least-privilege principles are enforced, as the flaw is constrained to authenticated low-privilege users. Monitoring access logs for anomalous data retrieval by non-administrative accounts may help detect exploitation attempts in the narrow scenario described.

CVE-2020-4083 MEDIUM POC
5.5 Mar 05

HCL Connections 6.5 is vulnerable to possible information leakage. Rated medium severity (CVSS 5.5), this vulnerability

CVE-2020-4082 MEDIUM POC
5.4 Mar 05

The HCL Connections 5.5 help system is vulnerable to cross-site scripting, caused by improper validation of user-supplie

CVE-2016-3007 HIGH
8.8 Sep 26

Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before C

CVE-2015-5038 HIGH
7.5 Jan 03

IBM Connections 3.x before 3.0.1.1 CR3, 4.0 before CR4, 4.5 before CR5, and 5.0 before CR3 does not properly detect recu

CVE-2016-2999 MEDIUM
6.5 Sep 26

IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to obtain sens

CVE-2024-30107 MEDIUM
6.5 Apr 18

HCL Connections contains a broken access control vulnerability that may expose sensitive information to unauthorized use

CVE-2023-28022 MEDIUM
6.5 Dec 15

HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive in

CVE-2020-4085 MEDIUM
6.5 Apr 22

"HCL Connections is vulnerable to possible information leakage and could disclose sensitive information via stack trace

CVE-2023-37533 MEDIUM
6.1 Nov 09

HCL Connections is vulnerable to reflected cross-site scripting (XSS) where an attacker may leverage these issues to exe

CVE-2014-0929 MEDIUM
6.0 Jun 08

Cross-site request forgery (CSRF) vulnerability in the Profiles component in IBM Connections through 3.0.1.1 CR3 allows

CVE-2024-30118 MEDIUM
5.7 Oct 09

HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive in

CVE-2016-5932 MEDIUM
5.4 Mar 01

IBM Connections 4.0, 4.5, 5.0, and 5.5 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vul

Share

CVE-2025-15619 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy