Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.
AnalysisAI
HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to root, enabling network-adjacent attackers with authenticated sessions to perform limited integrity modifications under high-complexity conditions. The missing Secure attribute allows cookies to be transmitted over unencrypted HTTP channels, while the absent SameSite attribute opens a cross-site request forgery vector. CVSS scores this at 3.1 (Low); no public exploit code exists and it is not listed in CISA KEV.
Technical ContextAI
CWE-614 ('Sensitive Cookie in HTTPS Session Without Secure Attribute') describes the root cause class here. When the Secure flag is absent, browsers will transmit session cookies over both HTTPS and HTTP connections, making them interceptable via passive or active network-layer attacks. The missing SameSite attribute (defaulting to 'Lax' in modern browsers, but not explicitly enforced) may permit cross-origin requests to carry the cookie in certain navigation contexts, contributing to CSRF exposure. Setting the cookie path to root ('/') means the cookie is sent with every request to any path on the HCL iControl domain, unnecessarily broadening the attack surface. The affected product is HCL iControl; exact CPE strings and version ranges are not provided in the available intelligence.
RemediationAI
The primary remediation is to apply the vendor-released fix documented in HCL's KB article KB0131061 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131061. An exact patched version number is not independently confirmed from available data; organizations should consult the advisory directly for the target upgrade version. As compensating controls pending patching: enforce strict HTTPS-only access to the iControl application and configure HTTP Strict Transport Security (HSTS) headers to prevent cookie transmission over plaintext HTTP, which mitigates the missing Secure attribute risk. Web application firewall rules can block cross-origin POST requests to reduce CSRF exposure from the missing SameSite attribute. Restricting the cookie path to the narrowest necessary scope (rather than root '/') limits the cookie's exposure to unrelated application paths but requires application-level configuration changes. These controls reduce but do not eliminate risk - the definitive fix is the vendor patch.
CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Expor
HCL iControl's web interface fails to automatically expire user sessions after inactivity, leaving authenticated session
Weak input validation in HCL iControl allows authenticated remote attackers to submit input of an unexpected type, resul
Missing HTTP security response headers in HCL iControl fail to instruct client browsers to engage their built-in XSS fil
Stack trace disclosure in HCL iControl v4.0.0 exposes internal application details to authenticated remote attackers via
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210061
GHSA-vvc8-jfgx-2xm5