EUVD-2025-209055

| CVE-2025-55266 MEDIUM
2026-03-26 HCL GHSA-4mx2-9grf-8f85
5.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 26, 2026 - 13:15 vuln.today
EUVD ID Assigned
Mar 26, 2026 - 13:15 euvd
EUVD-2025-209055
CVE Published
Mar 26, 2026 - 13:02 nvd
MEDIUM 5.9

Tags

Authentication Bypass Aftermarket Dpc

Description

HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user's session and use it carry out unauthorized transaction behalf of the user.

Analysis

HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user sessions and perform unauthorized transactions without requiring valid credentials. The vulnerability exploits improper session management to allow an attacker to force a victim to use a predetermined session identifier, then leverage that session for fraudulent activity. This is a network-accessible flaw requiring user interaction (e.g., clicking a malicious link) but no prior authentication. No public exploit code or active exploitation has been identified at the time of analysis.

Technical Context

Session fixation is classified under CWE-384 and represents a fundamental failure in session management implementation. HCL Aftermarket DPC (CPE: cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*) fails to properly regenerate session identifiers upon user authentication or to invalidate pre-authentication session IDs. The vulnerability likely exists in the session handling mechanism where an unauthenticated attacker can establish a session, inject that session identifier into a victim's browser (typically via URL manipulation or other vector), and after the victim authenticates, the attacker retains access to the authenticated session. This bypasses normal authentication controls by exploiting the application's trust in an attacker-controlled session token.

Affected Products

HCL Aftermarket DPC version 1.0.0 is confirmed affected per the EUVD advisory and NIST NVD entry. The affected products are identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*. HCL has published remediation guidance in their support knowledge base at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793. Additional vulnerability details are available via the NIST NVD at https://nvd.nist.gov/vuln/detail/CVE-2025-55266.

Remediation

Apply the security update provided by HCL via their support portal at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 to upgrade Aftermarket DPC to a patched version. Until patching is completed, implement session security controls including mandatory session ID regeneration upon login, secure session cookie attributes (HttpOnly, Secure, SameSite=Strict flags), short session timeout windows, and network-level protections such as HTTPS enforcement via reverse proxy with HSTS headers. Additionally, educate users to avoid clicking links from untrusted sources that may initiate pre-set sessions, and consider implementing browser security policies that restrict cross-site session hijacking.

Priority Score

30
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

EUVD-2025-209055 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy