Skip to main content

Aftermarket Dpc CVE-2025-55267

| EUVDEUVD-2025-209057 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-03-26 HCL GHSA-rh5v-5pwc-jx6p
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209057
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
CVE Published
Mar 26, 2026 - 13:01 nvd
MEDIUM 5.7

DescriptionCVE.org

HCL Aftermarket DPC is affected by Unrestricted File Upload vulnerability, allows attacker to upload and execute malicious scripts, gaining full control over the server.

AnalysisAI

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434) that enables authenticated remote attackers to upload and execute arbitrary scripts on the affected server, potentially achieving full system compromise. The attack requires user interaction and low-privilege authentication but carries high integrity impact. No public exploit code or active exploitation has been confirmed; however, the vulnerability's straightforward exploitation mechanics and authenticated attack vector make it a moderate-priority issue for organizations deploying this software.

Technical ContextAI

The vulnerability resides in HCL Aftermarket DPC's file upload handling mechanism, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The affected product is identified via CPE as cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. The root cause is insufficient validation and restriction of uploaded file types, allowing attackers with authenticated access (PR:L per CVSS vector) to bypass server-side controls and place executable script files in web-accessible directories. Once uploaded, these scripts execute within the server's runtime context, providing command execution capabilities. The attack surface is network-accessible (AV:N) with low complexity (AC:L), indicating the vulnerability can be triggered through standard HTTP requests without specialized exploitation techniques.

RemediationAI

Upgrade HCL Aftermarket DPC to the patched version specified in the vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793. If a patched version is not yet available, implement compensating controls: enforce strict file upload validation by file extension and MIME type on the server side, restrict uploaded files to a non-executable directory outside the web root, disable script execution in upload directories via web server configuration (e.g., .htaccess or web.config directives), and limit file upload permissions to trusted users only. Additionally, implement robust input validation, antivirus scanning on uploads, and regular log monitoring for suspicious file activities.

CVE-2025-55262 HIGH
8.3 Mar 26

SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas

CVE-2025-55261 HIGH
8.1 Mar 26

Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c

CVE-2025-55263 HIGH
7.3 Mar 26

Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera

CVE-2025-55265 MEDIUM
6.5 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s

CVE-2025-55266 MEDIUM
5.9 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user

CVE-2025-55264 MEDIUM
5.5 Mar 26

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti

CVE-2025-55268 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso

CVE-2025-55273 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers

CVE-2025-55269 MEDIUM
4.2 Mar 26

HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a

CVE-2025-55275 LOW
3.7 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at

CVE-2025-55270 LOW
3.5 Mar 26

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec

CVE-2025-55271 LOW
3.1 Mar 26

HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co

Share

CVE-2025-55267 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy