Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
HCL Aftermarket DPC is affected by Cross Domain Script Include vulnerability where an attacker using external scripts can tamper with the DOM, altering the content or behavior of the application. Malicious scripts can steal cookies or session tokens, leading to session hijacking.
AnalysisAI
HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers to inject and execute malicious external scripts, enabling DOM tampering and theft of session credentials without user interaction. Affected versions include Aftermarket DPC 1.0.0. No public exploit code or active exploitation has been identified at time of analysis, though the attack vector is network-accessible and requires only user interaction (rendering this a moderate-impact integrity threat rather than a critical one).
Technical ContextAI
The vulnerability stems from improper validation of external script sources, classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). HCL Aftermarket DPC fails to enforce Content Security Policy (CSP) headers or same-origin policy protections, allowing attackers to include arbitrary JavaScript from external domains. When a user visits the affected application, malicious scripts execute in the application's security context, gaining access to the DOM, cookies, and session storage. The affected product is identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*, confirming the vulnerability affects the HCL Aftermarket DPC product line across potentially multiple versions, though specific version information is limited to 1.0.0 in the EUVD record.
RemediationAI
Contact HCL Software for patch availability and version information via the security advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793. Pending patch deployment, implement Content Security Policy (CSP) headers with 'script-src self' to restrict script execution to same-origin scripts only, enforce HTTPS with HSTS to prevent man-in-the-middle injection, and consider deploying a Web Application Firewall (WAF) to filter malicious external script requests. Network-level access controls limiting application access to trusted IP ranges will reduce exposure.
More in Aftermarket Dpc
View allSQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera
HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user
HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti
HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a
HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at
HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec
HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209069