Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-accessible dashboard requires no authentication (PR:N, AV:N); disclosure yields only file path enumeration with no integrity or availability impact.
Primary rating from Vendor (HCL).
CVSS VectorVendor: HCL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL DFXAnalytics is affected by an Internal File Path Disclosure vulnerability. The application dashboard inadvertently leaks sensitive information regarding its internal file structure and directory paths through unhandled error messages, system logs, or debugging output, which could allow a remote attacker to map the underlying server environment and identify targets for further exploitation.
AnalysisAI
HCL DFXAnalytics exposes internal file system paths and directory structure through unhandled error messages, system logs, or debugging output rendered by the application dashboard. All versions are affected per the wildcard CPE, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms unauthenticated remote attackers can trivially trigger and read this disclosure with no special configuration. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required for initial access - CVSS AV:N/AC:L/PR:N/UI:N/S:U confirms the DFXAnalytics dashboard is network-accessible without authentication, and triggering the disclosure requires only low-complexity interaction (malformed or error-inducing requests). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.3 Medium score is proportionate: AV:N/AC:L/PR:N/UI:N means the flaw is trivially reachable by any unauthenticated remote attacker, but impact is bounded to C:L with no integrity or availability consequence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker sends a series of malformed or boundary-case HTTP requests to the HCL DFXAnalytics dashboard, deliberately triggering unhandled error conditions. The application returns verbose error messages or debug output containing absolute file system paths, log file locations, and internal directory structure. … |
| Remediation | Consult HCL Software knowledge base article KB0131787 at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131787 for the vendor-recommended patch or configuration fix; an exact patched version number is not confirmed in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Dfxanalytics
View allDenial of service in HCL DFXAnalytics version 3.0 and below allows remote unauthenticated attackers to crash or hang the
Cleartext-adjacent data exposure in HCL DFXAnalytics (version 3.0 and below) stems from continued support for the deprec
Account takeover in HCL DFXAnalytics version 3.0 and below allows a remote attacker to intercept and alter server HTTP r
Cross-Site Request Forgery exposure in HCL DFXAnalytics arises because session cookies generated during authentication a
Login replay vulnerability in HCL DFXAnalytics enables a remote attacker in a man-in-the-middle network position to capt
HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling
Session cookie exposure in HCL DFXAnalytics (version 3.0 and below) occurs because authentication-generated cookies are
Internal IP address disclosure in HCL DFXAnalytics (version 3.0 and below) exposes internal network topology data embedd
HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers w
HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to
Insecure file permissions on the HCL DFMPro (for CATIA), DFXAnalytics, and DFXServer installer executables allow any loc
Missing HSTS header in HCL DFXAnalytics exposes authenticated sessions to protocol downgrade and man-in-the-middle attac
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44924
GHSA-493w-xg7v-8gmv