Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data.
AnalysisAI
Missing functional level access control in HCL Aftermarket DPC version 1.0.0 enables privilege escalation attacks that can compromise application integrity and confidentiality. Unauthenticated attackers can leverage this access control flaw to manipulate and exfiltrate data with user interaction required (CVSS 8.1, AV:N/AC:L/PR:N/UI:R). No public exploit has been identified at time of analysis, with CISA SSVC rating the technical impact as partial and exploitation status as none.
Technical ContextAI
HCL Aftermarket DPC version 1.0.0 (CPE: cpe:2.3:a:hcl:aftermarket_dpc) suffers from CWE-284 (Improper Access Control), specifically missing functional level access control mechanisms. This vulnerability class occurs when an application fails to validate that users have appropriate authorization before granting access to privileged functions or resources. Unlike authentication bypass which defeats credential checks, functional level access control failures allow authenticated or unauthenticated users to invoke administrative or privileged operations by directly accessing URLs, API endpoints, or application functions that lack proper authorization enforcement at the business logic layer. The CVSS vector indicates network-accessible attack surface (AV:N) with no authentication prerequisite (PR:N), though user interaction is required (UI:R).
RemediationAI
Consult the HCL vendor advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793 for specific patching guidance and version upgrade instructions. Patch availability details and fixed version numbers are available through the HCL support portal knowledge base article KB0129793. Until patching is completed, implement compensating controls including network segmentation to restrict access to Aftermarket DPC instances to trusted IP ranges, deploy web application firewall rules to monitor and block unauthorized function invocations, enforce strict session management and role-based access controls at infrastructure layers, and implement enhanced logging to detect privilege escalation attempts. Organizations should review audit logs for suspicious administrative function calls from low-privilege or unauthenticated sessions.
More in Aftermarket Dpc
View allSQL injection in HCL Aftermarket DPC version 1.0.0 enables unauthenticated remote attackers to extract sensitive databas
Hardcoded credentials in HCL Aftermarket DPC version 1.0.0 enable authenticated low-privilege attackers with user intera
HCL Aftermarket DPC version 1.0.0 is vulnerable to unauthenticated file discovery that allows remote attackers to read s
HCL Aftermarket DPC versions up to 1.0.0 are vulnerable to session fixation attacks that enable attackers to hijack user
HCL Aftermarket DPC versions prior to and including 1.0.0 suffer from an unrestricted file upload vulnerability (CWE-434
Session invalidation failure in HCL Aftermarket DPC versions up to 1.0.0 allows authenticated attackers to maintain acti
HCL Aftermarket DPC version 1.0.0 is vulnerable to excessive spamming that consumes server bandwidth and processing reso
HCL Aftermarket DPC is vulnerable to Cross Domain Script Include (CWE-829) that permits unauthenticated remote attackers
HCL Aftermarket DPC version 1.0.0 enforces weak password policies that enable attackers to conduct brute-force attacks a
HCL Aftermarket DPC versions up to 1.0.0 contain an admin session concurrency vulnerability that allows authenticated at
HCL Aftermarket DPC version 1.0.0 contains improper input validation (CWE-20) that enables multiple injection attack vec
HTTP Response Splitting in HCL Aftermarket DPC allows unauthenticated remote attackers to inject arbitrary content or co
Same weakness CWE-284 – Improper Access Control
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209079