Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user's session and use it carry out unauthorized transaction behalf of the user.
AnalysisAI
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user sessions and perform unauthorized transactions without requiring valid credentials. The vulnerability exploits improper session management to allow an attacker to force a victim to use a predetermined session identifier, then leverage that session for fraudulent activity. This is a network-accessible flaw requiring user interaction (e.g., clicking a malicious link) but no prior authentication. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
Session fixation is classified under CWE-384 and represents a fundamental failure in session management implementation. HCL Aftermarket DPC (CPE: cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) fails to properly regenerate session identifiers upon user authentication or to invalidate pre-authentication session IDs. The vulnerability likely exists in the session handling mechanism where an unauthenticated attacker can establish a session, inject that session identifier into a victim's browser (typically via URL manipulation or other vector), and after the victim authenticates, the attacker retains access to the authenticated session. This bypasses normal authentication controls by exploiting the application's trust in an attacker-controlled session token.
RemediationAI
Apply the security update provided by HCL via their support portal at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 to upgrade Aftermarket DPC to a patched version. Until patching is completed, implement session security controls including mandatory session ID regeneration upon login, secure session cookie attributes (HttpOnly, Secure, SameSite=Strict flags), short session timeout windows, and network-level protections such as HTTPS enforcement via reverse proxy with HSTS headers. Additionally, educate users to avoid clicking links from untrusted sources that may initiate pre-set sessions, and consider implementing browser security policies that restrict cross-site session hijacking.
More in Aftermarket Dpc
View allSQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera
HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s
HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti
HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso
HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a
HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at
HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec
HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co
Same weakness CWE-384 – Session Fixation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209055
GHSA-4mx2-9grf-8f85