Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined. This issue likely stems from one of the following: A missing or improperly initialized object.
AnalysisAI
Stack trace disclosure in HCL iControl v4.0.0 exposes internal application details to authenticated remote attackers via unhandled JavaScript exceptions. The application fails to catch a runtime error when attempting to read the 'dashboard' key from an undefined object, returning a full stack trace to the requesting client. No public exploit exists and no active exploitation has been observed; CVSS scores this Low (3.1), reflecting strictly limited confidentiality impact with no integrity or availability consequences.
Technical ContextAI
HCL iControl is a web-based control application. The root cause maps to CWE-209 (Generation of Error Message Containing Sensitive Information): server-side or client-rendered JavaScript code accesses a property named 'dashboard' on an object that has not been initialized or is undefined, triggering an unhandled exception. Rather than failing gracefully with a generic error response, the application propagates the raw exception including a full stack trace back to the requester. Stack traces typically expose internal file system paths, framework/library names and versions, and application code structure - intelligence useful for planning follow-on attacks. No CPE strings were provided in source data; affected product is identified as HCL iControl v4.0.0 per vendor advisory KB0131041.
RemediationAI
Consult HCL's official knowledge base article KB0131041 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131041 for the vendor-recommended fix. No exact patched version number is confirmed from available data - the precise fix version must be obtained directly from HCL support or the advisory. As a compensating control pending patching, configure the application's error handling middleware to suppress verbose exception output and return only generic error messages in production deployments; this directly addresses CWE-209 without modifying application logic, though it may complicate debugging. Additionally, restrict access to HCL iControl to the minimum required authenticated user base to reduce the pool of principals capable of triggering the flaw. Note that suppressing stack traces treats the symptom rather than the root cause (uninitialized object); the vendor patch is the authoritative fix.
CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Expor
HCL iControl's web interface fails to automatically expire user sessions after inactivity, leaving authenticated session
Weak input validation in HCL iControl allows authenticated remote attackers to submit input of an unexpected type, resul
Missing HTTP security response headers in HCL iControl fail to instruct client browsers to engage their built-in XSS fil
HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to r
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210059
GHSA-v6rp-8fmq-j68m