Skip to main content

HCL AION CVE-2025-62316

| EUVDEUVD-2025-209856 LOW
Improper Restriction of Rendered UI Layers or Frames (CWE-1021)
2026-05-14 HCL GHSA-76qx-w8jc-9p87
2.3
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 17:32 vuln.today
CVE Published
May 14, 2026 - 16:08 nvd
LOW 2.3

DescriptionCVE.org

HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the application to limited security risks under specific conditions.

AnalysisAI

HCL AION fails to configure security-related HTTP response headers, potentially reducing browser-based protections against cross-site scripting and other client-side attacks. The vulnerability requires adjacent network access, high interaction complexity, low privilege authentication, and user interaction to achieve limited confidentiality impact. CVSS score of 2.3 reflects minimal real-world risk under current attack conditions.

Technical ContextAI

HCL AION is a web application framework where HTTP response headers such as Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security are not properly configured by default or by application logic. These headers are critical HTTP security mechanisms that instruct browsers to enforce protections against XSS, clickjacking, MIME sniffing, and man-in-the-middle attacks. The absence of these headers (CWE-1021: Improper Restriction of Rendered UI Layers or Frames) leaves the application dependent solely on server-side input validation and output encoding, which may be insufficient if bypassed. The vulnerability applies to all versions of HCL AION (cpe:2.3:a:hcl:aion:*:*:*:*:*:*:*:*), indicating a systematic configuration gap rather than a code defect in specific versions.

RemediationAI

HCL AION administrators should implement HTTP security headers at the application or web server level. Primary remediation is to configure the following headers in AION responses: Content-Security-Policy (CSP) to restrict resource origins and mitigate XSS, X-Frame-Options (e.g., 'DENY' or 'SAMEORIGIN') to prevent clickjacking, X-Content-Type-Options set to 'nosniff' to disable MIME sniffing, and Strict-Transport-Security (HSTS) to enforce HTTPS. These may be configured via AION application settings, reverse proxy (nginx/Apache), or web server directives. Additionally, enforce HTTPS-only communication and validate that AION's default configuration includes these headers in future releases. Consult HCL support article KB0130636 for product-specific configuration steps. As no vendor-released patch version is confirmed at this time, remediation relies on configuration hardening rather than a software update.

More in Aion

View all
CVE-2025-52650 HIGH
8.2 Oct 10

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

CVE-2025-52632 MEDIUM
6.5 Oct 10

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

CVE-2025-52644 MEDIUM
5.8 Mar 16

HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing

CVE-2025-52638 MEDIUM
5.6 Mar 16

HCL AION contains a container base image authentication vulnerability where container images are not properly verified b

CVE-2025-52627 MEDIUM
5.5 Feb 03

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

CVE-2025-62313 MEDIUM
5.4 May 14

HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul

CVE-2025-62310 MEDIUM
5.4 May 14

HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform

CVE-2025-52624 MEDIUM
5.4 Oct 10

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-

CVE-2025-62305 MEDIUM
5.1 May 14

HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe

CVE-2025-62308 MEDIUM
5.1 May 14

HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth

CVE-2025-52643 MEDIUM
4.7 Mar 16

A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

CVE-2025-52628 MEDIUM
4.6 Feb 03

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot

Share

CVE-2025-62316 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy