Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
HCL Aftermarket DPC is affected by HTTP Response Splitting vulnerability where in depending on how the web application handles the split response, an attacker may be able to execute arbitrary commands or inject harmful content into the response..
AnalysisAI
HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or commands into HTTP responses, potentially leading to content spoofing or further exploitation depending on application response handling. The vulnerability affects Aftermarket DPC version 1.0.0 and requires user interaction to exploit. No public exploit identified at time of analysis, and exploitation is not currently automatable according to CISA SSVC assessment, resulting in a low real-world risk profile despite the injection vector.
Technical ContextAI
HTTP Response Splitting vulnerabilities arise from improper sanitization of user-controlled input that is incorporated into HTTP response headers, as classified under CWE-113 (Improper Neutralization of CRLF Sequences in HTTP Headers). HCL Aftermarket DPC (identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) fails to adequately validate or encode data before including it in response headers, permitting an attacker to inject carriage return and line feed characters. This allows an attacker to terminate the current HTTP header block and inject arbitrary headers or even an entirely new HTTP response, potentially enabling cache poisoning, session fixation, or credential theft depending on downstream processing by intermediate proxies or client-side applications.
RemediationAI
Apply the vendor-released patch from HCL by consulting the official security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793, which details the exact patched version and upgrade procedure. If immediate patching is not feasible, implement input validation and output encoding controls at the application or web application firewall layer to neutralize CRLF injection attempts in user-supplied parameters that are reflected in HTTP response headers. Additionally, enforce strict HTTP response header validation policies and consider deploying a reverse proxy with header filtering rules to prevent response splitting attacks. Monitor HTTP response headers in production logs for anomalous injection patterns.
More in Aftermarket Dpc
View allSQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera
HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user
HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti
HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso
HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a
HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at
HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec
Same weakness CWE-113 – HTTP Response Splitting
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209065