Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Authenticated low-privilege user required (PR:L), user interaction needed to trigger scenario (UI:R), only limited confidentiality disclosure with no integrity or availability impact.
Primary rating from Vendor (HCL).
CVSS VectorVendor: HCL
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL Connections contains a broken access control vulnerability that may allow an unauthorized user to view data in a single specific scenario.
AnalysisAI
HCL Connections exposes a broken access control flaw that permits a low-privileged, authenticated user to view data they should not be authorized to access, but only under one specific scenario. Classified under CWE-284 (Improper Access Control), the vulnerability requires network access, low privileges, and user interaction, limiting its real-world exploitation surface considerably. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS score of 3.5 reflects a genuinely low-severity finding.
Technical ContextAI
HCL Connections (CPE: cpe:2.3:a:hclsoftware:connections:*:*:*:*:*:*:*:*) is an enterprise social collaboration platform developed by HCL Software, used for internal networking, file sharing, and team collaboration in corporate environments. The root cause class is CWE-284 (Improper Access Control), which describes a failure to correctly enforce authorization checks on a resource. In this instance, a specific code path or scenario fails to verify that the requesting user has the appropriate permission to view certain data, allowing unauthorized data disclosure. The AV:N/AC:L/PR:L/UI:R CVSS vector indicates the flaw is reachable over the network but requires the attacker to be authenticated (low privileges) and that some form of user interaction is involved in triggering the condition.
RemediationAI
Consult HCL's official advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130163 (KB0130163) for the patched release version; a vendor-released patch is referenced but the exact fix version is not independently confirmed from available data. If a patch cannot be applied immediately, consider restricting access to HCL Connections to trusted internal networks or VPN-only access, which limits the attack surface given the AV:N vector. Audit user roles and permissions within HCL Connections to ensure least-privilege principles are enforced, as the flaw is constrained to authenticated low-privilege users. Monitoring access logs for anomalous data retrieval by non-administrative accounts may help detect exploitation attempts in the narrow scenario described.
More in Connections
View allHCL Connections 6.5 is vulnerable to possible information leakage. Rated medium severity (CVSS 5.5), this vulnerability
The HCL Connections 5.5 help system is vulnerable to cross-site scripting, caused by improper validation of user-supplie
Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before C
IBM Connections 3.x before 3.0.1.1 CR3, 4.0 before CR4, 4.5 before CR5, and 5.0 before CR3 does not properly detect recu
IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to obtain sens
HCL Connections contains a broken access control vulnerability that may expose sensitive information to unauthorized use
HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive in
"HCL Connections is vulnerable to possible information leakage and could disclose sensitive information via stack trace
HCL Connections is vulnerable to reflected cross-site scripting (XSS) where an attacker may leverage these issues to exe
Cross-site request forgery (CSRF) vulnerability in the Profiles component in IBM Connections through 3.0.1.1 CR3 allows
HCL Connections is vulnerable to an information disclosure vulnerability which could allow a user to obtain sensitive in
IBM Connections 4.0, 4.5, 5.0, and 5.5 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vul
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210310
GHSA-p83g-vrrg-rq2w