Skip to main content

Aftermarket Dpc CVE-2025-55274

| EUVDEUVD-2025-209072 LOW
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-03-26 HCL
2.6
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.6 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209072
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
CVE Published
Mar 26, 2026 - 12:47 nvd
LOW 2.6

DescriptionCVE.org

HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they could steal sensitive data, perform actions on behalf of a legitimate user.

AnalysisAI

HCL Aftermarket DPC version 1.0.0 contains a Cross-Origin Resource Sharing (CORS) misconfiguration that permits authenticated attackers with low privileges to access sensitive user information and potentially perform unauthorized actions on behalf of legitimate users through browser-based attacks. The vulnerability requires user interaction (such as social engineering to visit a malicious webpage) and operates within a single security context, limiting its scope to confidentiality impact with no integrity or availability consequences. No public exploit code has been identified at the time of analysis, and the low CVSS score of 2.6 reflects the high attack complexity and limited practical exploitability despite the theoretical risk of data exposure.

Technical ContextAI

The vulnerability stems from inadequate CORS policy configuration in HCL Aftermarket DPC, classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). CORS is a browser security mechanism that controls which cross-origin requests JavaScript code can make to backend APIs. When misconfigured, CORS policies may allow malicious websites to make authenticated requests to the vulnerable application on behalf of a logged-in user, potentially reading sensitive responses or performing state-changing operations. The affected product, identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*, operates as a web application where this misconfiguration exposes API endpoints to unauthorized cross-origin access. The root cause involves either overly permissive Access-Control-Allow-Origin headers, improper wildcard usage, or failure to validate origin headers before responding with sensitive data.

RemediationAI

Upgrade HCL Aftermarket DPC to a patched version as indicated in the vendor advisory (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793); consult HCL support for the exact fixed version if not explicitly stated in the advisory. As an interim workaround pending patch deployment, restrict CORS policies by removing wildcard origins and explicitly whitelist only trusted domains that legitimately require cross-origin API access; audit and tighten Access-Control-Allow-Origin headers to specific, validated origins; implement SameSite cookie attributes (SameSite=Strict or SameSite=Lax) to mitigate credential exposure in cross-site requests; and consider network-level controls such as WAF rules to detect and block suspicious cross-origin requests. Additionally, educate users to avoid clicking links from untrusted sources, as the attack relies on user interaction.

CVE-2025-55262 HIGH
8.3 Mar 26

SQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas

CVE-2025-55261 HIGH
8.1 Mar 26

Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that c

CVE-2025-55263 HIGH
7.3 Mar 26

Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera

CVE-2025-55265 MEDIUM
6.5 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s

CVE-2025-55266 MEDIUM
5.9 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user

CVE-2025-55267 MEDIUM
5.7 Mar 26

HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434

CVE-2025-55264 MEDIUM
5.5 Mar 26

Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti

CVE-2025-55268 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso

CVE-2025-55273 MEDIUM
4.3 Mar 26

HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers

CVE-2025-55269 MEDIUM
4.2 Mar 26

HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a

CVE-2025-55275 LOW
3.7 Mar 26

HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at

CVE-2025-55270 LOW
3.5 Mar 26

HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec

Share

CVE-2025-55274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy