Skip to main content

HCL DFXAnalytics CVE-2025-31970

| EUVD-2025-209659 MEDIUM
Improperly Implemented Security Check for Standard (CWE-358)
2026-05-06 HCL GHSA-wwg7-35h6-45wq
XSS
5.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 11:30 vuln.today

DescriptionNVD

HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS)

AnalysisAI

HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling attackers to inject and execute arbitrary scripts through cross-site scripting (XSS) vectors without authentication or user interaction. This network-accessible vulnerability affects all versions and results in information disclosure with a CVSS score of 5.3; no active exploitation has been reported.

Technical ContextAI

HCL DFXAnalytics uses HTTP security headers to control resource loading and script execution in browsers. The Content-Security-Policy (CSP) header is a critical defense mechanism that restricts which origins can load resources and where code can execute. The vulnerability stems from insufficient CSP directives: the object-src directive controls whether plugins (Flash, Java) can be embedded, and base-uri restricts where the HTML <base> tag can point. Without strict settings (such as object-src 'none' and base-uri 'self'), attackers can inject malicious content or manipulate the DOM base URL to redirect resource requests to attacker-controlled servers. This is classified under CWE-358 (Improperly Restricted Operations on Dynamically-Loaded Code) and relates to improper trust assumptions in client-side security controls. The issue allows XSS payloads to bypass the intended CSP restrictions.

RemediationAI

HCL has published guidance via KB article KB0130569 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569. The primary remediation is to upgrade to a patched version of HCL DFXAnalytics once released by HCL. In the interim, implement the following compensating controls: configure the web server hosting DFXAnalytics to enforce strict Content-Security-Policy headers, specifically adding directives 'object-src "none"' to block plugin execution and 'base-uri "self"' to restrict base URL manipulation. Apply these headers at the server level (via Apache mod_headers, nginx add_header, or IIS configuration) to ensure they apply to all responses from DFXAnalytics. Additionally, restrict network access to DFXAnalytics to trusted IP ranges or require VPN/authentication proxies upstream. Deploy a Web Application Firewall (WAF) with XSS detection rules to block injected scripts. These compensating controls do not eliminate the vulnerability but reduce the attack surface while awaiting patches.

Share

CVE-2025-31970 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy