What is the CVSS score of CVE-2025-62317?

CVE-2025-62317 has a CVSS 3.1 base score of 2.6 (Low). CVSS vector: CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

HCL AION CVE-2025-62317

EUVD-2025-209857 LOW

Use of GET Request Method With Sensitive Query Strings (CWE-598)

2026-05-14 HCL

GHSA-63f7-76jf-xf93

Information Disclosure

2.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

May 14, 2026 - 17:32 vuln.today

CVE Published

May 14, 2026 - 16:13 nvd

LOW 2.6

DescriptionNVD

HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through browser history, logs, or intermediary systems, potentially leading to unintended information disclosure under certain conditions.

AnalysisAI

HCL AION exposes sensitive information through URL parameters, allowing disclosure via browser history, server logs, and intermediary systems. The vulnerability requires adjacent network access, high interaction complexity, and authenticated user involvement, resulting in limited confidentiality impact with a CVSS score of 2.6. No active exploitation has been confirmed.

Technical ContextAI

HCL AION improperly passes sensitive data as URL query parameters rather than using secure HTTP methods (POST with body, encrypted headers) or secure storage mechanisms. This violates secure coding practices defined in CWE-598 (GET with Sensitive Information), where sensitive authentication tokens, session identifiers, or user credentials transmitted in URLs become accessible through multiple vectors: browser history caches, HTTP access logs on intermediate proxies and web servers, referrer headers sent to third-party sites, and system-level URL monitoring. The vulnerability affects all versions of HCL AION according to the CPE pattern, indicating a systemic design issue rather than a narrow code defect.

RemediationAI

Apply HCL's security guidance from KB0130636 immediately, which provides vendor-recommended mitigations specific to AION's architecture. Primary fix involves refactoring all sensitive data transmission from URL parameters to HTTP POST request bodies or secure header mechanisms. For immediate risk reduction without code changes: configure web servers and proxies to sanitize logs of sensitive URL parameters using regex filters on query strings; enforce HTTPS with HSTS headers to prevent cleartext interception; restrict browser history retention policies on user devices; disable referrer headers for sensitive endpoints using Referrer-Policy: no-referrer. Trade-offs include potential performance overhead from increased payload size (POST vs. GET) and operational complexity in log filtering. If AION requires URL-based session tokens for backward compatibility, migrate to secure cookie-based session management with HttpOnly and Secure flags set.

CVE-2025-62317 vulnerability details – vuln.today

Back