What is the CVSS score of CVE-2025-62316?

CVE-2025-62316 has a CVSS 3.1 base score of 2.3 (Low). CVSS vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

HCL AION CVE-2025-62316

EUVD-2025-209856 LOW

Improper Restriction of Rendered UI Layers or Frames (CWE-1021)

2026-05-14 HCL

GHSA-76qx-w8jc-9p87

XSS

2.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

May 14, 2026 - 17:32 vuln.today

CVE Published

May 14, 2026 - 16:08 nvd

LOW 2.3

DescriptionNVD

HCL AION is affected by a vulnerability where certain security-related HTTP response headers are not properly configured. Absence of these headers may reduce the effectiveness of browser-based security controls and could expose the application to limited security risks under specific conditions.

AnalysisAI

HCL AION fails to configure security-related HTTP response headers, potentially reducing browser-based protections against cross-site scripting and other client-side attacks. The vulnerability requires adjacent network access, high interaction complexity, low privilege authentication, and user interaction to achieve limited confidentiality impact. CVSS score of 2.3 reflects minimal real-world risk under current attack conditions.

Technical ContextAI

HCL AION is a web application framework where HTTP response headers such as Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security are not properly configured by default or by application logic. These headers are critical HTTP security mechanisms that instruct browsers to enforce protections against XSS, clickjacking, MIME sniffing, and man-in-the-middle attacks. The absence of these headers (CWE-1021: Improper Restriction of Rendered UI Layers or Frames) leaves the application dependent solely on server-side input validation and output encoding, which may be insufficient if bypassed. The vulnerability applies to all versions of HCL AION (cpe:2.3:a:hcl:aion:*:*:*:*:*:*:*:*), indicating a systematic configuration gap rather than a code defect in specific versions.

RemediationAI

HCL AION administrators should implement HTTP security headers at the application or web server level. Primary remediation is to configure the following headers in AION responses: Content-Security-Policy (CSP) to restrict resource origins and mitigate XSS, X-Frame-Options (e.g., 'DENY' or 'SAMEORIGIN') to prevent clickjacking, X-Content-Type-Options set to 'nosniff' to disable MIME sniffing, and Strict-Transport-Security (HSTS) to enforce HTTPS. These may be configured via AION application settings, reverse proxy (nginx/Apache), or web server directives. Additionally, enforce HTTPS-only communication and validate that AION's default configuration includes these headers in future releases. Consult HCL support article KB0130636 for product-specific configuration steps. As no vendor-released patch version is confirmed at this time, remediation relies on configuration hardening rather than a software update.

CVE-2025-62316 vulnerability details – vuln.today

Back