Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS)
AnalysisAI
HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling attackers to inject and execute arbitrary scripts through cross-site scripting (XSS) vectors without authentication or user interaction. This network-accessible vulnerability affects all versions and results in information disclosure with a CVSS score of 5.3; no active exploitation has been reported.
Technical ContextAI
HCL DFXAnalytics uses HTTP security headers to control resource loading and script execution in browsers. The Content-Security-Policy (CSP) header is a critical defense mechanism that restricts which origins can load resources and where code can execute. The vulnerability stems from insufficient CSP directives: the object-src directive controls whether plugins (Flash, Java) can be embedded, and base-uri restricts where the HTML <base> tag can point. Without strict settings (such as object-src 'none' and base-uri 'self'), attackers can inject malicious content or manipulate the DOM base URL to redirect resource requests to attacker-controlled servers. This is classified under CWE-358 (Improperly Restricted Operations on Dynamically-Loaded Code) and relates to improper trust assumptions in client-side security controls. The issue allows XSS payloads to bypass the intended CSP restrictions.
RemediationAI
HCL has published guidance via KB article KB0130569 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130569. The primary remediation is to upgrade to a patched version of HCL DFXAnalytics once released by HCL. In the interim, implement the following compensating controls: configure the web server hosting DFXAnalytics to enforce strict Content-Security-Policy headers, specifically adding directives 'object-src "none"' to block plugin execution and 'base-uri "self"' to restrict base URL manipulation. Apply these headers at the server level (via Apache mod_headers, nginx add_header, or IIS configuration) to ensure they apply to all responses from DFXAnalytics. Additionally, restrict network access to DFXAnalytics to trusted IP ranges or require VPN/authentication proxies upstream. Deploy a Web Application Firewall (WAF) with XSS detection rules to block injected scripts. These compensating controls do not eliminate the vulnerability but reduce the attack surface while awaiting patches.
More in Dfxanalytics
View allTLS protocol downgrade exposure in HCL DFXAnalytics allows network-positioned attackers to intercept and decrypt sensiti
Account takeover through HTTP response manipulation in HCL DFXAnalytics enables a network-positioned attacker to interce
HCL DFXAnalytics exposes internal file system paths and directory structure through unhandled error messages, system log
Stack-based buffer overflow in HCL DFXAnalytics allows remote unauthenticated attackers to crash or render the applicati
HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers w
HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to
HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Securi
HCL DFXAnalytics exposes detailed stack traces in application responses due to improper error handling, allowing authent
Missing HSTS header in HCL DFXAnalytics exposes authenticated sessions to protocol downgrade and man-in-the-middle attac
Cross-Site Request Forgery exposure in HCL DFXAnalytics arises because session cookies generated during authentication a
HCL DFXAnalytics fails to set the 'secure' attribute on session cookies generated during authentication, enabling a netw
Internal IP address exposure in HCL DFXAnalytics allows remote attackers who have obtained high-privilege authenticated
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209659
GHSA-wwg7-35h6-45wq