Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactions or limited information exposure under specific conditions.
AnalysisAI
HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.
Technical ContextAI
The vulnerability stems from improper input validation or insufficient access control restrictions on SQL query execution within HCL AION's database interaction layer. This likely represents a CWE-89 (SQL Injection) or CWE-863 (Incorrect Authorization) class flaw where user-supplied input is insufficiently sanitized before being incorporated into SQL queries, or where authorization checks fail to prevent unprivileged users from executing queries beyond their intended scope. The issue is specific to HCL AION's offering configuration modules, suggesting the vulnerability may exist in configuration parsers or query builders that handle user-provided parameters without adequate parameterized query usage or stored procedure enforcement. The local attack vector (AV:L) indicates the attacker must have some form of system access, whether through a compromised account, shell access, or application-level authenticated session.
RemediationAI
Organizations using HCL AION should immediately check the HCL PSIRT advisories and security updates for patch availability targeting this vulnerability and apply updates to affected systems. Until patches are available, implement compensating controls including: enforcing least-privilege database account credentials for AION application processes (use read-only or restricted stored procedures), restricting access to AION offering configuration modules to only required administrative users, implementing database-level query logging and monitoring to detect anomalous SQL execution patterns, and disabling or restricting features that permit user-supplied query parameters if not essential to operations. Network segmentation to limit local system access and multi-factor authentication for administrative accounts can reduce the likelihood of credential compromise that would enable exploitation.
Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing
HCL AION contains a container base image authentication vulnerability where container images are not properly verified b
Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).
HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul
HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform
A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-
HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe
HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth
A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.
Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot
Same weakness CWE-89 – SQL Injection
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208720