Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
AC:H because exploitation requires chaining with a social-engineering step; UI:R because browser attacks like clickjacking require user interaction with a malicious page.
Primary rating from Vendor (hcl).
CVSS VectorVendor: hcl
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL DevOps Loop is affected by missing HTTP security headers. Missing security headers may reduce browser protections against common web-based attacks such as clickjacking, MIME-type sniffing, and cross-site scripting.
AnalysisAI
HCL DevOps Loop omits critical HTTP security response headers, degrading browser-enforced protections against clickjacking, MIME-type sniffing, and cross-site scripting for all users of the application. The absence of headers such as Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options does not introduce a standalone exploit path but removes a layer of defense-in-depth that browsers rely on to block client-side attack chains. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication or special privilege is required to receive HTTP responses lacking security headers, as the headers are absent from all server responses by default. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) classifies this as Low severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker wishing to perform clickjacking against HCL DevOps Loop users could host a transparent iframe embedding the application inside a malicious webpage, tricking authenticated users into performing unintended actions - feasible specifically because X-Frame-Options or a CSP frame-ancestors directive is absent. Separately, the lack of a Content-Security-Policy makes it easier to inject and execute malicious scripts if any XSS injection point exists elsewhere in the application. … |
| Remediation | The primary remediation is to review and apply the guidance in HCL's knowledge base article KB0132296 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0132296, which may include a patched release or configuration update; an exact fix version is not confirmed from available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45232