Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
HCL Aftermarket DPC is affected by File Discovery which allows attacker could exploit this issue to read sensitive files present in the system and may use it to craft further attacks.
AnalysisAI
HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read sensitive files from the system without user interaction beyond a single click, potentially enabling reconnaissance for follow-on attacks. The vulnerability carries a CVSS score of 6.5 (Medium) with high confidentiality impact but no integrity or availability consequences. No public exploit code or active exploitation has been reported at the time of analysis.
Technical ContextAI
The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), a broad information disclosure weakness that reflects improper access controls or path traversal mechanisms in file handling logic. HCL Aftermarket DPC (cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) does not implement sufficient restrictions on file enumeration or access, permitting attackers to discover and retrieve sensitive files through the network. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates the attack is network-accessible with low complexity, requires no privileges, and necessitates minimal user interaction (a single click), suggesting a direct HTTP request or client-side redirect mechanism that exposes the file discovery interface.
RemediationAI
Contact HCL Software to obtain and deploy the patched version of Aftermarket DPC beyond version 1.0.0; consult the vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for specific patch version availability and deployment instructions. Until patching is completed, implement network-level access controls to restrict inbound connections to Aftermarket DPC to trusted IP ranges, disable or restrict file enumeration features if configurable, and monitor file access logs for unauthorized file discovery attempts. Consider isolating Aftermarket DPC instances to a separate network segment to limit exposure if compromised.
More in Aftermarket Dpc
View allSQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user
HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti
HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso
HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a
HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at
HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec
HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209053
GHSA-pw9r-4x84-7pxx