CVE-2025-55273

| EUVD-2025-209069 MEDIUM
2026-03-26 HCL
4.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209069
CVE Published
Mar 26, 2026 - 12:52 nvd
MEDIUM 4.3

Tags

Information Disclosure Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by Cross Domain Script Include vulnerability where an attacker using external scripts can tamper with the DOM, altering the content or behavior of the application. Malicious scripts can steal cookies or session tokens, leading to session hijacking.

Analysis

HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers to inject and execute malicious external scripts, enabling DOM tampering and theft of session credentials without user interaction. Affected versions include Aftermarket DPC 1.0.0. No public exploit code or active exploitation has been identified at time of analysis, though the attack vector is network-accessible and requires only user interaction (rendering this a moderate-impact integrity threat rather than a critical one).

Technical Context

The vulnerability stems from improper validation of external script sources, classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). HCL Aftermarket DPC fails to enforce Content Security Policy (CSP) headers or same-origin policy protections, allowing attackers to include arbitrary JavaScript from external domains. When a user visits the affected application, malicious scripts execute in the application's security context, gaining access to the DOM, cookies, and session storage. The affected product is identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*, confirming the vulnerability affects the HCL Aftermarket DPC product line across potentially multiple versions, though specific version information is limited to 1.0.0 in the EUVD record.

Affected Products

HCL Aftermarket DPC version 1.0.0 is confirmed affected per the EUVD record (EUVD-2025-209069). The CPE designation cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:* indicates the vulnerability may affect other versions of the product line, though specific version boundaries have not been publicly disclosed. Consult HCL's security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for a definitive list of affected and patched versions.

Remediation

Contact HCL Software for patch availability and version information via the security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793. Pending patch deployment, implement Content Security Policy (CSP) headers with 'script-src self' to restrict script execution to same-origin scripts only, enforce HTTPS with HSTS to prevent man-in-the-middle injection, and consider deploying a Web Application Firewall (WAF) to filter malicious external script requests. Network-level access controls limiting application access to trusted IP ranges will reduce exposure.

Priority Score

22
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +22
POC: 0

Share

CVE-2025-55273 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy