Skip to main content

HCL iControl EUVDEUVD-2025-210058

| CVE-2025-52612 HIGH
Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
2026-06-04 psirt@hcl.com GHSA-x53x-g43q-33f7
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 04, 2026 - 12:31 vuln.today

DescriptionCVE.org

HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .

AnalysisAI

CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Export CSV feature and reflected parameters. An attacker who can lure an authenticated user to click a crafted link can execute script in the victim's browser session or inject formula payloads into exported CSV files that execute when opened in spreadsheet applications. No public exploit identified at time of analysis; the issue carries a CVSS 7.1 (High) rating driven largely by user-interaction and low-privilege requirements.

Technical ContextAI

HCL iControl is HCL Software's IT operations and infrastructure control product. The CWE assigned is CWE-1236 (Improper Neutralization of Formula Elements in a CSV File), commonly called CSV injection or formula injection, in which user-controlled values written into CSV cells (e.g. starting with =, +, -, @) are interpreted as formulas by Excel/LibreOffice/Google Sheets when the export is opened, enabling command execution or data exfiltration via DDE/IMPORTXML. The vendor advisory also describes a parallel reflected XSS condition where input parameters echoed back into HTML responses are not encoded, letting attacker-controlled HTML/JavaScript execute in the browsing context of a victim. Both root causes stem from missing output-context-aware neutralization (HTML encoding for the web UI, formula prefixing/escaping for CSV cells).

RemediationAI

Apply the fixed release referenced in HCL's advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131041 - exact fix version is not included in the supplied data and should be confirmed directly with HCL Support. Until the patch is deployed, restrict access to the iControl web interface to trusted administrative networks, instruct operators not to open exported CSV files in spreadsheet applications without first reviewing them in a plain-text viewer (trade-off: breaks normal reporting workflows), and enforce browser settings or a strict Content-Security-Policy at the reverse proxy to limit inline script execution as a partial XSS mitigation (trade-off: may break legitimate iControl UI features and requires testing). Disable or remove the CSV export functionality if it is not operationally required (trade-off: loss of reporting capability).

Share

EUVD-2025-210058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy