Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H
Lifecycle Timeline
3DescriptionCVE.org
HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database.
AnalysisAI
SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive database contents and potentially compromise data integrity and availability. The vulnerability carries a CVSS score of 8.3 with network-based attack vector requiring user interaction. No public exploit is identified at time of analysis, and SSVC assessment indicates no current exploitation with non-automatable attack characteristics.
Technical ContextAI
HCL Aftermarket DPC version 1.0.0 (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) contains a SQL injection vulnerability allowing database manipulation through unsanitized user input. Interestingly, the CVE description maps to CWE-798 (Use of Hard-coded Credentials) rather than the expected CWE-89 (SQL Injection), suggesting the attack vector may involve exploiting static credentials to facilitate SQL injection attacks. The discrepancy between the described SQL injection and the assigned CWE-798 indicates this may be a compound vulnerability where hard-coded credentials enable subsequent SQL injection exploitation. The product appears to be a dealer parts commerce platform handling aftermarket automotive or industrial parts inventory and transaction data.
RemediationAI
Consult the HCL vendor security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for official patch guidance and upgrade instructions. While specific patched version numbers are not confirmed in available intelligence, the vendor advisory should provide remediation steps and updated software releases. Until patching is completed, implement defense-in-depth controls including restricting network access to the DPC platform to trusted IP ranges only, deploying web application firewall rules to detect and block SQL injection attempts, enforcing parameterized queries and input validation at the application layer if source code access permits, and monitoring database query logs for suspicious activity. Given the CWE-798 classification suggesting hard-coded credentials, also review and rotate any static authentication credentials used by the application.
More in Aftermarket Dpc
View allMissing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera
HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user
HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti
HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso
HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a
HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at
HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec
HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co
Same weakness CWE-798 – Use of Hard-coded Credentials
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209081
GHSA-2g37-4q7v-m5xx