Skip to main content

Aftermarket Dpc CVE-2025-55270

| EUVDEUVD-2025-209063 LOW
Improper Input Validation (CWE-20)
2026-03-26 HCL GHSA-jhhm-rg4m-4qmm
3.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209063
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
CVE Published
Mar 26, 2026 - 12:59 nvd
LOW 3.5

DescriptionCVE.org

HCL Aftermarket DPC is affected by Improper Input Validation which allows an attacker to inject executable code and can carry out attacks such as XSS, SQL Injection, Command Injection etc.

AnalysisAI

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vectors including Cross-Site Scripting (XSS), SQL Injection, and Command Injection. Authenticated attackers can exploit this vulnerability to inject and execute arbitrary code within the application context. No public exploit code or active exploitation has been identified at time of analysis, and the moderate CVSS score of 3.5 reflects limited confidentiality impact with user interaction required.

Technical ContextAI

The vulnerability resides in HCL Aftermarket DPC (CPE: cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*), an aftermarket product management system. The root cause is classified as CWE-20 (Improper Input Validation), which indicates insufficient sanitization and validation of user-supplied input before processing. This failure permits multiple injection attack classes (XSS, SQL Injection, Command Injection) to succeed depending on how unsanitized input flows through different code paths-whether reflected in HTML responses, embedded in database queries, or passed to system commands. The vulnerability affects version 1.0.0 of the product and likely versions prior to any patched release.

RemediationAI

Consult the HCL support article (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793) for vendor-released patch availability and exact fix version number. Once a patched release is confirmed, upgrade HCL Aftermarket DPC to the latest available version. As interim mitigations pending patching, enforce strict input validation and output encoding at the application layer; restrict network access to Aftermarket DPC to authenticated internal users only; implement a Web Application Firewall (WAF) configured to block common XSS and SQL injection payloads; apply the principle of least privilege to database and system command execution contexts; and enable comprehensive audit logging of user inputs and code execution events.

CVE-2025-55262 HIGH
8.3 Mar 26

SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas

CVE-2025-55261 HIGH
8.1 Mar 26

Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c

CVE-2025-55263 HIGH
7.3 Mar 26

Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera

CVE-2025-55265 MEDIUM
6.5 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s

CVE-2025-55266 MEDIUM
5.9 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user

CVE-2025-55267 MEDIUM
5.7 Mar 26

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434

CVE-2025-55264 MEDIUM
5.5 Mar 26

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti

CVE-2025-55268 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso

CVE-2025-55273 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers

CVE-2025-55269 MEDIUM
4.2 Mar 26

HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a

CVE-2025-55275 LOW
3.7 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at

CVE-2025-55271 LOW
3.1 Mar 26

HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co

Share

CVE-2025-55270 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy