EUVD-2025-208720
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3Description
HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries. Improper validation or restrictions on query execution could expose the system to unintended database interactions or limited information exposure under specific conditions.
Analysis
HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.
Technical Context
The vulnerability stems from improper input validation or insufficient access control restrictions on SQL query execution within HCL AION's database interaction layer. This likely represents a CWE-89 (SQL Injection) or CWE-863 (Incorrect Authorization) class flaw where user-supplied input is insufficiently sanitized before being incorporated into SQL queries, or where authorization checks fail to prevent unprivileged users from executing queries beyond their intended scope. The issue is specific to HCL AION's offering configuration modules, suggesting the vulnerability may exist in configuration parsers or query builders that handle user-provided parameters without adequate parameterized query usage or stored procedure enforcement. The local attack vector (AV:L) indicates the attacker must have some form of system access, whether through a compromised account, shell access, or application-level authenticated session.
Affected Products
HCL AION is affected by this vulnerability in configurations that permit user-supplied SQL queries or dynamic query construction. The specific version ranges have not been publicly disclosed in available intelligence, but HCL typically addresses such issues across multiple product versions. Affected organizations should consult the HCL security advisory and PSIRT channels (https://support.hcltechsw.com/csm) for definitive version impact information and patch availability. The vulnerability is tied to specific offering configurations within AION, suggesting that not all deployments may be equally at risk depending on enabled features and modules.
Remediation
Organizations using HCL AION should immediately check the HCL PSIRT advisories and security updates for patch availability targeting this vulnerability and apply updates to affected systems. Until patches are available, implement compensating controls including: enforcing least-privilege database account credentials for AION application processes (use read-only or restricted stored procedures), restricting access to AION offering configuration modules to only required administrative users, implementing database-level query logging and monitoring to detect anomalous SQL execution patterns, and disabling or restricting features that permit user-supplied query parameters if not essential to operations. Network segmentation to limit local system access and multi-factor authentication for administrative accounts can reduce the likelihood of credential compromise that would enable exploitation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today