Aion
Monthly
HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affecting confidentiality and integrity under specific conditions. The vulnerability requires adjacent network access, low privilege authentication, and user interaction to exploit, making it suitable for targeted attacks within trusted environments rather than widespread remote exploitation.
HCL AION exposes sensitive information through URL parameters, allowing disclosure via browser history, server logs, and intermediary systems. The vulnerability requires adjacent network access, high interaction complexity, and authenticated user involvement, resulting in limited confidentiality impact with a CVSS score of 2.6. No active exploitation has been confirmed.
HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting authenticated users with local network access and specific user interaction. The exposure reveals internal system architecture and configuration information that could enable reconnaissance for targeted attacks, with limited confidentiality, integrity, and availability impact (CVSS 5.1, CWE-201). No public exploit code or confirmed active exploitation has been identified at time of analysis.
HCL AION stores sensitive information in browser auto-complete caches for certain input fields, potentially exposing credentials or other sensitive data to local attackers or through browser history under specific conditions. The vulnerability requires adjacent network access, high interaction complexity, and local user privilege, limiting real-world exploitation scope but posing risk in shared or compromised workstations.
HCL AION uses basic authorization tokens for authentication, exposing credentials to interception or misuse if not transmitted over encrypted channels. The vulnerability affects authenticated local or adjacent network attackers with low privileges and user interaction, resulting in limited confidentiality impact. CVSS 3.0 reflects low severity, though the underlying authentication weakness may enable credential theft in environments with unencrypted internal traffic.
HCL AION fails to configure security-related HTTP response headers, potentially reducing browser-based protections against cross-site scripting and other client-side attacks. The vulnerability requires adjacent network access, high interaction complexity, low privilege authentication, and user interaction to achieve limited confidentiality impact. CVSS score of 2.3 reflects minimal real-world risk under current attack conditions.
HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that could lead to account compromise or unauthorized access. The vulnerability requires adjacent network access and affects all versions of the product. No public exploit code has been identified, but the weak authentication controls represent a significant credential-stuffing and password-guessing risk in multi-tenant or shared-network environments.
HCL AION transmits backend service details over unencrypted HTTP channels under certain conditions, allowing authenticated local or adjacent-network attackers with limited privileges to intercept and read sensitive configuration data through man-in-the-middle attacks. The vulnerability requires user interaction and non-default network positioning, resulting in a CVSS score of 4.3 (low severity) with confirmed vendor awareness and advisory availability.
HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive information to interception or unauthorized access. The vulnerability requires adjacent network access, high attack complexity, and user interaction, limiting real-world exploitation scope. No active exploitation has been confirmed at time of analysis.
HCL AION allows local attackers with high privileges to explore internal filesystem structures through certain system behaviors, potentially disclosing information about the underlying environment that could facilitate further targeted attacks. The vulnerability requires local access, high privileges, and user interaction to trigger, with a CVSS score of 2.9 reflecting low immediate risk. No public exploit code or active exploitation has been identified.
HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries.
A security vulnerability in HCL AION (CVSS 1.9). Remediation should follow standard vulnerability management procedures.
HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour.
HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature.
HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing the traceability of user activities and potentially compromising monitoring, accountability, and incident investigation capabilities. The vulnerability affects AION 2.0 and is classified as an Information Disclosure issue with a CVSS score of 5.8. An attacker with local access and low privileges could exploit this to perform actions without adequate logging, hindering forensic analysis and compliance audit trails.
A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability in HCL AION (CVSS 1.8). Remediation should follow standard vulnerability management procedures.
HCL AION contains a container base image authentication vulnerability where container images are not properly verified before deployment, potentially allowing attackers to execute untrusted or malicious container images within the AION environment. This affects AION 2.0 and could enable attackers with local access and high privileges to compromise system integrity and availability. No public evidence of active exploitation or POC availability has been identified in the provided intelligence sources.
HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.
HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. [CVSS 3.1 LOW]
HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks.. [CVSS 3.7 LOW]
Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, potentially increasing exposure to cr (CVSS 4.6).
HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. [CVSS 3.7 LOW]
HCL AION is susceptible to Missing Content-Security-Policy. An The absence of a CSP header may increase the risk of cross-site scripting and other content injection attacks by allowing unsafe scripts or resources to execute..This issue affects AION: 2.0. [CVSS 3.7 LOW]
Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).
A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system.This issue affects AION: 2.0 [CVSS 4.5 MEDIUM]
HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. [CVSS 1.8 LOW]
HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. [CVSS 3.1 LOW]
HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application’s overall security posture and increase its susceptibility to common web-based attacks. [CVSS 3.5 LOW]
HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. [CVSS 2.4 LOW]
Aion versions up to 2.0 contains a vulnerability that allows attackers to malicious file uploads, potentially resulting in unauthorized code execution or (CVSS 2.7).
Aion versions up to 2.0 contains a vulnerability that allows attackers to unintended storage of sensitive or dynamic content, potentially resulting in una (CVSS 2.8).
A rusted types in scripts not enforced in CSP vulnerability has been identified in HCL AION.This issue affects AION: 2.0.
HCL AION 2.0 improperly caches sensitive SSL/HTTPS page content, allowing attackers or local users with device or browser access to retrieve cached credentials, system identifiers, and internal file paths. The vulnerability has a CVSS score of 3.7 (low severity) due to high attack complexity and local/physical access requirements, with no public exploit or active exploitation confirmed.
A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0.
Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.
HCL AION allows exposure of sensitive information through out-of-band interactions triggered by certain operations, affecting confidentiality and integrity under specific conditions. The vulnerability requires adjacent network access, low privilege authentication, and user interaction to exploit, making it suitable for targeted attacks within trusted environments rather than widespread remote exploitation.
HCL AION exposes sensitive information through URL parameters, allowing disclosure via browser history, server logs, and intermediary systems. The vulnerability requires adjacent network access, high interaction complexity, and authenticated user involvement, resulting in limited confidentiality impact with a CVSS score of 2.6. No active exploitation has been confirmed.
HCL AION exposes sensitive backend infrastructure details through an information disclosure vulnerability affecting authenticated users with local network access and specific user interaction. The exposure reveals internal system architecture and configuration information that could enable reconnaissance for targeted attacks, with limited confidentiality, integrity, and availability impact (CVSS 5.1, CWE-201). No public exploit code or confirmed active exploitation has been identified at time of analysis.
HCL AION stores sensitive information in browser auto-complete caches for certain input fields, potentially exposing credentials or other sensitive data to local attackers or through browser history under specific conditions. The vulnerability requires adjacent network access, high interaction complexity, and local user privilege, limiting real-world exploitation scope but posing risk in shared or compromised workstations.
HCL AION uses basic authorization tokens for authentication, exposing credentials to interception or misuse if not transmitted over encrypted channels. The vulnerability affects authenticated local or adjacent network attackers with low privileges and user interaction, resulting in limited confidentiality impact. CVSS 3.0 reflects low severity, though the underlying authentication weakness may enable credential theft in environments with unencrypted internal traffic.
HCL AION fails to configure security-related HTTP response headers, potentially reducing browser-based protections against cross-site scripting and other client-side attacks. The vulnerability requires adjacent network access, high interaction complexity, low privilege authentication, and user interaction to achieve limited confidentiality impact. CVSS score of 2.3 reflects minimal real-world risk under current attack conditions.
HCL AION lacks adequate brute-force protections on authentication mechanisms, allowing repeated login attempts that could lead to account compromise or unauthorized access. The vulnerability requires adjacent network access and affects all versions of the product. No public exploit code has been identified, but the weak authentication controls represent a significant credential-stuffing and password-guessing risk in multi-tenant or shared-network environments.
HCL AION transmits backend service details over unencrypted HTTP channels under certain conditions, allowing authenticated local or adjacent-network attackers with limited privileges to intercept and read sensitive configuration data through man-in-the-middle attacks. The vulnerability requires user interaction and non-default network positioning, resulting in a CVSS score of 4.3 (low severity) with confirmed vendor awareness and advisory availability.
HCL AION fails to enforce encryption for certain data transmissions or operations, potentially exposing sensitive information to interception or unauthorized access. The vulnerability requires adjacent network access, high attack complexity, and user interaction, limiting real-world exploitation scope. No active exploitation has been confirmed at time of analysis.
HCL AION allows local attackers with high privileges to explore internal filesystem structures through certain system behaviors, potentially disclosing information about the underlying environment that could facilitate further targeted attacks. The vulnerability requires local access, high privileges, and user interaction to trigger, with a CVSS score of 2.9 reflecting low immediate risk. No public exploit code or active exploitation has been identified.
HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries.
A security vulnerability in HCL AION (CVSS 1.9). Remediation should follow standard vulnerability management procedures.
HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour.
HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature.
HCL AION contains inadequate auditing and logging mechanisms that fail to properly track certain user actions, reducing the traceability of user activities and potentially compromising monitoring, accountability, and incident investigation capabilities. The vulnerability affects AION 2.0 and is classified as an Information Disclosure issue with a CVSS score of 5.8. An attacker with local access and low privileges could exploit this to perform actions without adequate logging, hindering forensic analysis and compliance audit trails.
A security vulnerability in HCL AION (CVSS 4.7). Remediation should follow standard vulnerability management procedures.
A remote code execution vulnerability in HCL AION (CVSS 1.8). Remediation should follow standard vulnerability management procedures.
HCL AION contains a container base image authentication vulnerability where container images are not properly verified before deployment, potentially allowing attackers to execute untrusted or malicious container images within the AION environment. This affects AION 2.0 and could enable attackers with local access and high privileges to compromise system integrity and availability. No public evidence of active exploitation or POC availability has been identified in the provided intelligence sources.
HCL AION contains a SQL injection or improper query validation vulnerability that allows authenticated local users with low privileges to execute potentially harmful SQL queries against the database. The vulnerability affects certain offering configurations and could lead to limited information disclosure, data modification, or denial of service under specific conditions. With a CVSS score of 4.5 and local attack vector requirement, this represents a moderate-risk vulnerability primarily exploitable by insider threats or compromised local accounts.
HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. [CVSS 3.1 LOW]
HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks.. [CVSS 3.7 LOW]
Aion versions up to 2.0 contains a vulnerability that allows attackers to cookies to be sent in cross-site requests, potentially increasing exposure to cr (CVSS 4.6).
HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. [CVSS 3.7 LOW]
HCL AION is susceptible to Missing Content-Security-Policy. An The absence of a CSP header may increase the risk of cross-site scripting and other content injection attacks by allowing unsafe scripts or resources to execute..This issue affects AION: 2.0. [CVSS 3.7 LOW]
Aion versions up to 2.0 is affected by incorrect permission assignment for critical resource (CVSS 5.5).
A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system.This issue affects AION: 2.0 [CVSS 4.5 MEDIUM]
HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. [CVSS 1.8 LOW]
HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. [CVSS 3.1 LOW]
HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application’s overall security posture and increase its susceptibility to common web-based attacks. [CVSS 3.5 LOW]
HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. [CVSS 2.4 LOW]
Aion versions up to 2.0 contains a vulnerability that allows attackers to malicious file uploads, potentially resulting in unauthorized code execution or (CVSS 2.7).
Aion versions up to 2.0 contains a vulnerability that allows attackers to unintended storage of sensitive or dynamic content, potentially resulting in una (CVSS 2.8).
A rusted types in scripts not enforced in CSP vulnerability has been identified in HCL AION.This issue affects AION: 2.0.
HCL AION 2.0 improperly caches sensitive SSL/HTTPS page content, allowing attackers or local users with device or browser access to retrieve cached credentials, system identifiers, and internal file paths. The vulnerability has a CVSS score of 3.7 (low severity) due to high attack complexity and local/physical access requirements, with no public exploit or active exploitation confirmed.
A vulnerability Bypass of the script allowlist configuration in HCL AION. An incorrectly configured Content-Security-Policy header may allow unauthorized scripts to execute, increasing the risk of cross-site scripting and other injection-based attacks.This issue affects AION: 2.0.
Inline script execution allowed in CSP vulnerability has been identified in HCL AION v2.0
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION This issue affects HCL AION: 2.0.
A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in HCL AION.This issue affects AION: 2.0.