Skip to main content

HCL AION EUVDEUVD-2025-209850

| CVE-2025-62309 LOW
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-05-14 HCL GHSA-g36x-vg49-93vr
2.6
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.6 LOW
AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 14, 2026 - 17:32 vuln.today
CVE Published
May 14, 2026 - 16:10 nvd
LOW 2.6

DescriptionCVE.org

HCL AION is affected by a vulnerability where auto-complete functionality is enabled for certain input fields. This may allow sensitive information to be stored in the browser, potentially leading to unintended exposure under specific conditions.

AnalysisAI

HCL AION stores sensitive information in browser auto-complete caches for certain input fields, potentially exposing credentials or other sensitive data to local attackers or through browser history under specific conditions. The vulnerability requires adjacent network access, high interaction complexity, and local user privilege, limiting real-world exploitation scope but posing risk in shared or compromised workstations.

Technical ContextAI

The vulnerability stems from CWE-201 (Insertion of Sensitive Information into Sent Data), which occurs when web applications enable HTML5 autocomplete attributes on password, username, or other sensitive input fields. Browser auto-complete functionality is designed to cache form data for user convenience but can inadvertently persist credentials in plaintext browser storage (autocomplete cache or local storage) accessible to other local users, scripts, or through browser forensics. The affected product is HCL AION (all versions per CPE), a software platform by HCL Software. The flaw is a design/configuration issue rather than a memory safety or logic error - the application fails to explicitly disable autocomplete on sensitive fields via autocomplete='off' or equivalent mechanisms.

RemediationAI

Apply the security patch or upgrade provided by HCL Software via their support portal at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636 - consult the advisory for the specific fixed version. Pending patch deployment, disable auto-complete on sensitive input fields by adding autocomplete='off' or autocomplete='new-password' to HTML form elements handling credentials, secrets, or personally identifiable information. For browser-based deployments, configure the application server to enforce HTTP headers such as Cache-Control: no-store and Pragma: no-cache to reduce browser caching of sensitive pages. Educate end-users to avoid saving credentials in browser password managers for shared or untrusted workstations, and configure browsers to clear auto-complete cache on logout. Note that disabling autocomplete may degrade user experience for legitimate users but is essential in multi-user environments.

More in Aion

View all
CVE-2025-52650 HIGH
8.2 Oct 10

Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0

CVE-2025-52632 MEDIUM
6.5 Oct 10

A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.

CVE-2025-52644 MEDIUM
5.8 Mar 16

HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing

CVE-2025-52638 MEDIUM
5.6 Mar 16

HCL AION contains a container base image authentication vulnerability where container images are not properly verified b

CVE-2025-52627 MEDIUM
5.5 Feb 03

Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).

CVE-2025-62313 MEDIUM
5.4 May 14

HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that coul

CVE-2025-62310 MEDIUM
5.4 May 14

HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive inform

CVE-2025-52624 MEDIUM
5.4 Oct 10

A vulnerability  Bypass of the script allowlist configuration in HCL AION.  An incorrectly configured Content-Security-

CVE-2025-62305 MEDIUM
5.1 May 14

HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affe

CVE-2025-62308 MEDIUM
5.1 May 14

HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting auth

CVE-2025-52643 MEDIUM
4.7 Mar 16

A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.

CVE-2025-52628 MEDIUM
4.6 Feb 03

Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, pot

Share

EUVD-2025-209850 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy