Skip to main content

HCL AION CVE-2025-62317

| EUVDEUVD-2025-209857 LOW
Use of GET Request Method With Sensitive Query Strings (CWE-598)
2026-05-14 HCL GHSA-63f7-76jf-xf93
2.6
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.6 LOW
AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 17:32 vuln.today
CVE Published
May 14, 2026 - 16:13 nvd
LOW 2.6

DescriptionCVE.org

HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through browser history, logs, or intermediary systems, potentially leading to unintended information disclosure under certain conditions.

AnalysisAI

HCL AION exposes sensitive information through URL parameters, allowing disclosure via browser history, server logs, and intermediary systems. The vulnerability requires adjacent network access, high interaction complexity, and authenticated user involvement, resulting in limited confidentiality impact with a CVSS score of 2.6. No active exploitation has been confirmed.

Technical ContextAI

HCL AION improperly passes sensitive data as URL query parameters rather than using secure HTTP methods (POST with body, encrypted headers) or secure storage mechanisms. This violates secure coding practices defined in CWE-598 (GET with Sensitive Information), where sensitive authentication tokens, session identifiers, or user credentials transmitted in URLs become accessible through multiple vectors: browser history caches, HTTP access logs on intermediate proxies and web servers, referrer headers sent to third-party sites, and system-level URL monitoring. The vulnerability affects all versions of HCL AION according to the CPE pattern, indicating a systemic design issue rather than a narrow code defect.

RemediationAI

Apply HCL's security guidance from KB0130636 immediately, which provides vendor-recommended mitigations specific to AION's architecture. Primary fix involves refactoring all sensitive data transmission from URL parameters to HTTP POST request bodies or secure header mechanisms. For immediate risk reduction without code changes: configure web servers and proxies to sanitize logs of sensitive URL parameters using regex filters on query strings; enforce HTTPS with HSTS headers to prevent cleartext interception; restrict browser history retention policies on user devices; disable referrer headers for sensitive endpoints using Referrer-Policy: no-referrer. Trade-offs include potential performance overhead from increased payload size (POST vs. GET) and operational complexity in log filtering. If AION requires URL-based session tokens for backward compatibility, migrate to secure cookie-based session management with HttpOnly and Secure flags set.

More in Aion

View all
CVE-2025-52650 HIGH
8.2 Oct 10

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

CVE-2025-52632 MEDIUM
6.5 Oct 10

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

CVE-2025-52644 MEDIUM
5.8 Mar 16

HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing

CVE-2025-52638 MEDIUM
5.6 Mar 16

HCL AION contains a container base image authentication vulnerability where container images are not properly verified b

CVE-2025-52627 MEDIUM
5.5 Feb 03

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

CVE-2025-62313 MEDIUM
5.4 May 14

HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul

CVE-2025-62310 MEDIUM
5.4 May 14

HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform

CVE-2025-52624 MEDIUM
5.4 Oct 10

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-

CVE-2025-62305 MEDIUM
5.1 May 14

HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe

CVE-2025-62308 MEDIUM
5.1 May 14

HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth

CVE-2025-52643 MEDIUM
4.7 Mar 16

A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

CVE-2025-52628 MEDIUM
4.6 Feb 03

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot

Share

CVE-2025-62317 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy