Skip to main content

HCL DFXAnalytics CVE-2026-35143

| EUVDEUVD-2026-44919 LOW
Information Exposure (CWE-200)
2026-07-16 HCL GHSA-m9fr-x8w8-9mm4
3.0
CVSS 3.1 · Vendor: HCL

Severity by source

Vendor (HCL) PRIMARY
3.0 LOW
AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
vuln.today AI
3.4 LOW

CSRF attacker needs no system privileges (PR:N); victim authentication and interaction are captured by UI:R; AC:H reflects combined dependency on absent Anti-CSRF tokens and active victim session.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (HCL).

CVSS VectorVendor: HCL

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 16, 2026 - 13:47 vuln.today

DescriptionCVE.org

HCL DFXAnalytics is affected by a Missing SameSite Attribute vulnerability. The application fails to set the "SameSite" attribute on session cookies generated during authentication, which could allow a remote attacker to execute Cross-Site Request Forgery (CSRF) attacks if additional mitigations, such as Anti-CSRF tokens, are not implemented.

AnalysisAI

Cross-Site Request Forgery exposure in HCL DFXAnalytics arises because session cookies generated during authentication are issued without the SameSite attribute, allowing browsers to attach them to cross-origin requests. An attacker who can lure an authenticated victim to a malicious page may issue forged state-changing requests that the server honors under the victim's identity, provided the application also lacks Anti-CSRF token validation - a condition the CVE description explicitly names as the decisive amplifying factor. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target DFXAnalytics state-changing endpoint
Delivery
Craft malicious cross-origin HTML/form page
Exploit
Deliver link to authenticated victim
Execution
Victim browser loads attacker page
Persist
Browser includes session cookie in cross-origin POST
Impact
Server executes action as victim

Vulnerability AssessmentAI

Exploitation The CVSS vector (UI:R) confirms a victim who is actively authenticated to HCL DFXAnalytics must visit or load an attacker-controlled page - passive presence on the network is insufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.0 Low score is well-supported by the vector breakdown: AC:H reflects the multi-condition dependency (victim must hold an active session AND the application must lack Anti-CSRF tokens), UI:R captures the mandatory victim interaction, and I:L reflects limited-scope integrity impact with no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with knowledge of a state-changing DFXAnalytics endpoint (such as a user-settings update or data export trigger) hosts a webpage containing a forged cross-origin POST request targeting that endpoint. The attacker delivers a link to the page to a victim who is currently authenticated to DFXAnalytics; when the victim's browser loads the page, it automatically includes the session cookie in the forged request - since SameSite is unset - causing the server to execute the action under the victim's credentials. …
Remediation Apply the vendor-supplied fix documented in HCL Knowledge Base article KB0131787 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131787; an exact patched version number is not independently confirmable from the available data, so refer to the advisory for the precise upgrade target. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-56454 MEDIUM
5.9 Jul 16

TLS protocol downgrade exposure in HCL DFXAnalytics allows network-positioned attackers to intercept and decrypt sensiti

CVE-2026-56453 MEDIUM
5.5 Jul 16

Account takeover through HTTP response manipulation in HCL DFXAnalytics enables a network-positioned attacker to interce

CVE-2025-31970 MEDIUM
5.3 May 06

HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling

CVE-2026-56456 MEDIUM
5.3 Jul 16

HCL DFXAnalytics exposes internal file system paths and directory structure through unhandled error messages, system log

CVE-2026-56455 MEDIUM
5.3 Jul 16

Stack-based buffer overflow in HCL DFXAnalytics allows remote unauthenticated attackers to crash or render the applicati

CVE-2025-59851 LOW
3.7 May 06

HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers w

CVE-2025-59852 LOW
3.7 May 06

HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to

CVE-2025-59854 LOW
3.1 May 06

HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Securi

CVE-2025-59853 LOW
3.1 May 06

HCL DFXAnalytics exposes detailed stack traces in application responses due to improper error handling, allowing authent

CVE-2026-35145 LOW
3.1 Jul 16

Missing HSTS header in HCL DFXAnalytics exposes authenticated sessions to protocol downgrade and man-in-the-middle attac

CVE-2026-35140 LOW
3.0 Jul 16

HCL DFXAnalytics fails to set the 'secure' attribute on session cookies generated during authentication, enabling a netw

CVE-2026-35142 LOW
2.6 Jul 16

Internal IP address exposure in HCL DFXAnalytics allows remote attackers who have obtained high-privilege authenticated

Share

CVE-2026-35143 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy