Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers.
AnalysisAI
Missing HTTP security response headers in HCL iControl fail to instruct client browsers to engage their built-in XSS filtering mechanisms, creating an exploitable gap classified under CWE-693 (Protection Mechanism Failure). The flaw is network-accessible and requires no authentication (PR:N per CVSS), but carries a CVSS 3.7 Low score due to high attack complexity (AC:H) and limited integrity-only impact (I:L). No public exploit code exists and this vulnerability is not listed in CISA KEV, placing it in the compliance/hardening category rather than immediate critical risk.
Technical ContextAI
HCL iControl is a web-based IT operations and management platform. The root cause, CWE-693 (Protection Mechanism Failure), describes a class of flaws where an application fails to employ or correctly configure an existing security mechanism. In this case, the application does not emit HTTP response headers - such as X-XSS-Protection, Content-Security-Policy (CSP), or X-Content-Type-Options - that instruct browsers to activate built-in cross-site scripting defenses. Without a Content-Security-Policy restricting script sources, or the legacy X-XSS-Protection: 1; mode=block header for older browsers, injected payloads are not blocked at the client side. It is worth noting that X-XSS-Protection was deprecated and removed in Chrome 78+ and Edge 17+, meaning the actual protective value of that specific header is limited to legacy browsers; a robust CSP remains the industry-standard durable control. No CPE strings were provided in the available intelligence data.
RemediationAI
The primary remediation is to consult and apply guidance from HCL's vendor advisory KB0131041 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131041; no exact patched version number was included in the available intelligence data, so the advisory must be reviewed for specific fix versions. As a compensating control applicable immediately, administrators should configure the web server or reverse proxy layer serving HCL iControl to emit appropriate security response headers: a Content-Security-Policy header with restrictive default-src and script-src directives is the most impactful control and is effective across all modern browsers; X-XSS-Protection: 1; mode=block can be added for legacy browser coverage but has no effect in Chrome 78+ or Edge 17+ and should not be relied upon as the primary defense; X-Content-Type-Options: nosniff reduces MIME-type confusion risks. These headers can be injected via nginx add_header directives or equivalent configuration in Apache or a WAF with low operational risk. The trade-off is that overly restrictive CSP policies may break legitimate application functionality - test in a staging environment before broad rollout.
CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Expor
HCL iControl's web interface fails to automatically expire user sessions after inactivity, leaving authenticated session
Weak input validation in HCL iControl allows authenticated remote attackers to submit input of an unexpected type, resul
Stack trace disclosure in HCL iControl v4.0.0 exposes internal application details to authenticated remote attackers via
HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to r
Same weakness CWE-693 – Protection Mechanism Failure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210060
GHSA-2v7w-jm74-g6m3