Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
AnalysisAI
Weak input validation in HCL iControl allows authenticated remote attackers to submit input of an unexpected type, resulting in limited integrity impact against the target system. The vulnerability stems from an implementation deficiency in an architectural security tactic - specifically, the application's failure to correctly validate received input against its expected type. No public exploit code exists and no active exploitation has been confirmed; however, the low-complexity, network-accessible attack vector lowers the bar for authenticated users to abuse this flaw.
Technical ContextAI
HCL iControl is an enterprise software product from HCL Software. The root cause is classified under CWE-209 (Generation of Error Message Containing Sensitive Information), although the description characterizes the flaw as a type-validation weakness - this discrepancy warrants attention. CWE-209 typically manifests when an application generates verbose error messages in response to unexpected or malformed input, potentially exposing internal state, stack traces, or system configuration details. The CVSS vector (AV:N/AC:L/PR:L/UI:N) indicates the flaw is reachable over the network with low-complexity exploitation requiring only low-privilege authentication and no user interaction. The scope is unchanged (S:U), limiting the vulnerability's blast radius to the vulnerable component itself. Specific CPE strings identifying affected versions were not included in the provided data.
RemediationAI
Consult HCL Software's official advisory at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131178 (KB0131178) for patching guidance. An exact fixed version was not provided in the available data, so the patch status is confirmed as 'Patch available per vendor advisory' without an independently verified fix version. As a compensating control, restrict access to the HCL iControl application to trusted, least-privilege authenticated accounts only, minimizing the pool of users who could exploit the input validation flaw. Ensure verbose error messages and stack traces are disabled or suppressed at the application and web server layers to limit information exposure consistent with CWE-209. Review application logs for anomalous inputs or unexpected type errors that may indicate attempted exploitation.
CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Expor
HCL iControl's web interface fails to automatically expire user sessions after inactivity, leaving authenticated session
Missing HTTP security response headers in HCL iControl fail to instruct client browsers to engage their built-in XSS fil
Stack trace disclosure in HCL iControl v4.0.0 exposes internal application details to authenticated remote attackers via
HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to r
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210062
GHSA-pjv4-rfhc-cr73