Severity by source
AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
CSRF attacker needs no system privileges (PR:N); victim authentication and interaction are captured by UI:R; AC:H reflects combined dependency on absent Anti-CSRF tokens and active victim session.
Primary rating from Vendor (HCL).
CVSS VectorVendor: HCL
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL DFXAnalytics is affected by a Missing SameSite Attribute vulnerability. The application fails to set the "SameSite" attribute on session cookies generated during authentication, which could allow a remote attacker to execute Cross-Site Request Forgery (CSRF) attacks if additional mitigations, such as Anti-CSRF tokens, are not implemented.
AnalysisAI
Cross-Site Request Forgery exposure in HCL DFXAnalytics arises because session cookies generated during authentication are issued without the SameSite attribute, allowing browsers to attach them to cross-origin requests. An attacker who can lure an authenticated victim to a malicious page may issue forged state-changing requests that the server honors under the victim's identity, provided the application also lacks Anti-CSRF token validation - a condition the CVE description explicitly names as the decisive amplifying factor. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The CVSS vector (UI:R) confirms a victim who is actively authenticated to HCL DFXAnalytics must visit or load an attacker-controlled page - passive presence on the network is insufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.0 Low score is well-supported by the vector breakdown: AC:H reflects the multi-condition dependency (victim must hold an active session AND the application must lack Anti-CSRF tokens), UI:R captures the mandatory victim interaction, and I:L reflects limited-scope integrity impact with no confidentiality or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with knowledge of a state-changing DFXAnalytics endpoint (such as a user-settings update or data export trigger) hosts a webpage containing a forged cross-origin POST request targeting that endpoint. The attacker delivers a link to the page to a victim who is currently authenticated to DFXAnalytics; when the victim's browser loads the page, it automatically includes the session cookie in the forged request - since SameSite is unset - causing the server to execute the action under the victim's credentials. … |
| Remediation | Apply the vendor-supplied fix documented in HCL Knowledge Base article KB0131787 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131787; an exact patched version number is not independently confirmable from the available data, so refer to the advisory for the precise upgrade target. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Dfxanalytics
View allTLS protocol downgrade exposure in HCL DFXAnalytics allows network-positioned attackers to intercept and decrypt sensiti
Account takeover through HTTP response manipulation in HCL DFXAnalytics enables a network-positioned attacker to interce
HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling
HCL DFXAnalytics exposes internal file system paths and directory structure through unhandled error messages, system log
Stack-based buffer overflow in HCL DFXAnalytics allows remote unauthenticated attackers to crash or render the applicati
HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers w
HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to
HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Securi
HCL DFXAnalytics exposes detailed stack traces in application responses due to improper error handling, allowing authent
Missing HSTS header in HCL DFXAnalytics exposes authenticated sessions to protocol downgrade and man-in-the-middle attac
HCL DFXAnalytics fails to set the 'secure' attribute on session cookies generated during authentication, enabling a netw
Internal IP address exposure in HCL DFXAnalytics allows remote attackers who have obtained high-privilege authenticated
Same weakness CWE-200 – Information Exposure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44919
GHSA-m9fr-x8w8-9mm4