EUVD-2025-209072
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Description
HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they could steal sensitive data, perform actions on behalf of a legitimate user.
Analysis
HCL Aftermarket DPC version 1.0.0 contains a Cross-Origin Resource Sharing (CORS) misconfiguration that permits authenticated attackers with low privileges to access sensitive user information and potentially perform unauthorized actions on behalf of legitimate users through browser-based attacks. The vulnerability requires user interaction (such as social engineering to visit a malicious webpage) and operates within a single security context, limiting its scope to confidentiality impact with no integrity or availability consequences. No public exploit code has been identified at the time of analysis, and the low CVSS score of 2.6 reflects the high attack complexity and limited practical exploitability despite the theoretical risk of data exposure.
Technical Context
The vulnerability stems from inadequate CORS policy configuration in HCL Aftermarket DPC, classified under CWE-942 (Permissive Cross-domain Policy with Untrusted Domains). CORS is a browser security mechanism that controls which cross-origin requests JavaScript code can make to backend APIs. When misconfigured, CORS policies may allow malicious websites to make authenticated requests to the vulnerable application on behalf of a logged-in user, potentially reading sensitive responses or performing state-changing operations. The affected product, identified via CPE cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:*, operates as a web application where this misconfiguration exposes API endpoints to unauthorized cross-origin access. The root cause involves either overly permissive Access-Control-Allow-Origin headers, improper wildcard usage, or failure to validate origin headers before responding with sensitive data.
Affected Products
HCL Aftermarket DPC version 1.0.0 is confirmed as affected per the EUVD intelligence (EUVD-2025-209072). The CPE identifier cpe:2.3:a:hcl:aftermarket_dpc:*:*:*:*:*:*:*:* indicates the product family, though specific version boundaries beyond 1.0.0 are not explicitly stated in the available data. HCL has published a security advisory with additional details at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793, and vulnerability information is indexed in the NIST NVD at https://nvd.nist.gov/vuln/detail/CVE-2025-55274.
Remediation
Upgrade HCL Aftermarket DPC to a patched version as indicated in the vendor advisory (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793); consult HCL support for the exact fixed version if not explicitly stated in the advisory. As an interim workaround pending patch deployment, restrict CORS policies by removing wildcard origins and explicitly whitelist only trusted domains that legitimately require cross-origin API access; audit and tighten Access-Control-Allow-Origin headers to specific, validated origins; implement SameSite cookie attributes (SameSite=Strict or SameSite=Lax) to mitigate credential exposure in cross-site requests; and consider network-level controls such as WAF rules to detect and block suspicious cross-origin requests. Additionally, educate users to avoid clicking links from untrusted sources, as the attack relies on user interaction.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today