Skip to main content

Dfxanalytics

14 CVEs product

Monthly

CVE-2026-56456 MEDIUM This Month

HCL DFXAnalytics exposes internal file system paths and directory structure through unhandled error messages, system logs, or debugging output rendered by the application dashboard. All versions are affected per the wildcard CPE, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms unauthenticated remote attackers can trivially trigger and read this disclosure with no special configuration. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the leaked path information materially aids reconnaissance for chained attacks against the underlying server environment.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 3.1
5.3
CVE-2026-56455 MEDIUM This Month

Stack-based buffer overflow in HCL DFXAnalytics allows remote unauthenticated attackers to crash or render the application unresponsive by submitting excessively large input values that bypass missing server-side length validation. The vulnerability carries a CVSS 3.1 score of 5.3 (Medium) with availability as the sole impact dimension - no confidentiality or integrity exposure is present, and remote code execution has not been indicated. No public exploit code or active exploitation has been identified at time of analysis.

Buffer Overflow Stack Overflow Denial Of Service Dfxanalytics
NVD VulDB
CVSS 3.1
5.3
CVE-2026-56454 MEDIUM This Month

TLS protocol downgrade exposure in HCL DFXAnalytics allows network-positioned attackers to intercept and decrypt sensitive communications by exploiting continued support for deprecated TLS 1.0 and TLS 1.1 protocols. All versions of DFXAnalytics are affected per the wildcard CPE string, with high confidentiality impact and no integrity or availability degradation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS AC:H rating reflects the prerequisite man-in-the-middle network position rather than any inherent technical barrier to exploitation once that position is achieved.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 3.1
5.9
CVE-2026-56453 MEDIUM This Month

Account takeover through HTTP response manipulation in HCL DFXAnalytics enables a network-positioned attacker to intercept and alter server responses before they reach the client, subverting authentication and authorization decisions enforced client-side. The product, identified via CPE cpe:2.3:a:hcl_software:dfxanalytics:*:*:*:*:*:*:*:*, appears to trust server-provided authentication outcomes without cryptographic integrity protection, allowing a low-privileged adversary-in-the-middle to gain unauthorized access to arbitrary user accounts. No public exploit has been identified and no CISA KEV listing is present, but the CVSS scope change (S:C) signals that successful exploitation reaches beyond the attacker's own session to compromise targeted accounts.

Authentication Bypass Dfxanalytics
NVD VulDB
CVSS 3.1
5.5
CVE-2026-35145 LOW Monitor

Missing HSTS header in HCL DFXAnalytics exposes authenticated sessions to protocol downgrade and man-in-the-middle attacks by network-positioned adversaries. All versions per the CPE wildcard are affected, and the application fails to include the Strict-Transport-Security response header, leaving browsers without enforcement of HTTPS-only communication. No active exploitation has been identified (not in CISA KEV) and no public exploit code is known, consistent with the low CVSS score of 3.1.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 3.1
3.1
CVE-2026-35143 LOW Monitor

Cross-Site Request Forgery exposure in HCL DFXAnalytics arises because session cookies generated during authentication are issued without the SameSite attribute, allowing browsers to attach them to cross-origin requests. An attacker who can lure an authenticated victim to a malicious page may issue forged state-changing requests that the server honors under the victim's identity, provided the application also lacks Anti-CSRF token validation - a condition the CVE description explicitly names as the decisive amplifying factor. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; real-world risk is further constrained by modern browser defaults (Chrome 80+ and Firefox apply SameSite=Lax by default), high attack complexity, and the required user interaction.

CSRF Information Disclosure Dfxanalytics
NVD VulDB
CVSS 3.1
3.0
CVE-2026-35142 LOW Monitor

Internal IP address exposure in HCL DFXAnalytics allows remote attackers who have obtained high-privilege authenticated access to harvest internal network topology details from generated server responses. The application embeds private IP addresses directly in its output, violating the CWE-200 information boundary and enabling attackers to map internal infrastructure for follow-on targeted attacks. No public exploit code exists and no active exploitation has been confirmed; the CVSS score of 2.6 reflects the significant access prerequisites that substantially limit real-world risk.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 3.1
2.6
CVE-2026-35141 LOW Monitor

Login replay vulnerability in HCL DFXAnalytics enables a remote attacker in a man-in-the-middle network position to capture and retransmit valid authentication messages, gaining unauthorized access as a legitimate user. The application lacks message-freshness enforcement - no timestamps or nonce mechanisms are applied to bound the validity window of authentication data, a design gap classified under CWE-294. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the combination of high attack complexity and mandatory user interaction substantially limits realistic exploitation scope.

Authentication Bypass Dfxanalytics
NVD VulDB
CVSS 3.1
2.6
CVE-2026-35140 LOW Monitor

HCL DFXAnalytics fails to set the 'secure' attribute on session cookies generated during authentication, enabling a network-positioned attacker to capture session tokens transmitted in cleartext over unencrypted HTTP channels. Authenticated sessions are at risk when traffic traverses a path the attacker can observe, such as shared networks or HTTP downgrade scenarios. No public exploit code has been identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 3.1
3.0
CVE-2025-59854 LOW Monitor

HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Security Policy, allowing attackers with low privileges to potentially exploit browser-specific XSS protections or bypass intended security controls. The vulnerability requires high attack complexity and authenticated access, limiting practical exploitation but indicating security posture degradation in a production analytics platform.

XSS Dfxanalytics
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-59853 LOW Monitor

HCL DFXAnalytics exposes detailed stack traces in application responses due to improper error handling, allowing authenticated remote attackers with low privileges to gain insights into the application's internal structure, code logic, and environment configurations. The vulnerability requires high attack complexity and produces limited confidentiality impact, resulting in a CVSS score of 3.1. No active exploitation or public exploit code has been identified at the time of analysis.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-59852 LOW Monitor

HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to intercept and read confidential information. The vulnerability requires high attack complexity (likely man-in-the-middle positioning) but affects all versions of the product when unencrypted channels are in use. No active exploitation has been reported, and the low CVSS score (3.7) reflects limited confidentiality impact with no integrity or availability compromise.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-59851 LOW Monitor

HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers with high effort to gain limited unauthorized access. The application fails to update or isolate vulnerable dependencies, potentially enabling exploitation of publicly disclosed security flaws in embedded components to bypass authentication or extract sensitive information.

Authentication Bypass Dfxanalytics
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-31970 MEDIUM This Month

HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling attackers to inject and execute arbitrary scripts through cross-site scripting (XSS) vectors without authentication or user interaction. This network-accessible vulnerability affects all versions and results in information disclosure with a CVSS score of 5.3; no active exploitation has been reported.

XSS Dfxanalytics
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVSS 5.3
MEDIUM This Month

HCL DFXAnalytics exposes internal file system paths and directory structure through unhandled error messages, system logs, or debugging output rendered by the application dashboard. All versions are affected per the wildcard CPE, and the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms unauthenticated remote attackers can trivially trigger and read this disclosure with no special configuration. No public exploit code exists and the vulnerability is not listed in CISA KEV; however, the leaked path information materially aids reconnaissance for chained attacks against the underlying server environment.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 5.3
MEDIUM This Month

Stack-based buffer overflow in HCL DFXAnalytics allows remote unauthenticated attackers to crash or render the application unresponsive by submitting excessively large input values that bypass missing server-side length validation. The vulnerability carries a CVSS 3.1 score of 5.3 (Medium) with availability as the sole impact dimension - no confidentiality or integrity exposure is present, and remote code execution has not been indicated. No public exploit code or active exploitation has been identified at time of analysis.

Buffer Overflow Stack Overflow Denial Of Service +1
NVD VulDB
CVSS 5.9
MEDIUM This Month

TLS protocol downgrade exposure in HCL DFXAnalytics allows network-positioned attackers to intercept and decrypt sensitive communications by exploiting continued support for deprecated TLS 1.0 and TLS 1.1 protocols. All versions of DFXAnalytics are affected per the wildcard CPE string, with high confidentiality impact and no integrity or availability degradation. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog; however, the CVSS AC:H rating reflects the prerequisite man-in-the-middle network position rather than any inherent technical barrier to exploitation once that position is achieved.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 5.5
MEDIUM This Month

Account takeover through HTTP response manipulation in HCL DFXAnalytics enables a network-positioned attacker to intercept and alter server responses before they reach the client, subverting authentication and authorization decisions enforced client-side. The product, identified via CPE cpe:2.3:a:hcl_software:dfxanalytics:*:*:*:*:*:*:*:*, appears to trust server-provided authentication outcomes without cryptographic integrity protection, allowing a low-privileged adversary-in-the-middle to gain unauthorized access to arbitrary user accounts. No public exploit has been identified and no CISA KEV listing is present, but the CVSS scope change (S:C) signals that successful exploitation reaches beyond the attacker's own session to compromise targeted accounts.

Authentication Bypass Dfxanalytics
NVD VulDB
CVSS 3.1
LOW Monitor

Missing HSTS header in HCL DFXAnalytics exposes authenticated sessions to protocol downgrade and man-in-the-middle attacks by network-positioned adversaries. All versions per the CPE wildcard are affected, and the application fails to include the Strict-Transport-Security response header, leaving browsers without enforcement of HTTPS-only communication. No active exploitation has been identified (not in CISA KEV) and no public exploit code is known, consistent with the low CVSS score of 3.1.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 3.0
LOW Monitor

Cross-Site Request Forgery exposure in HCL DFXAnalytics arises because session cookies generated during authentication are issued without the SameSite attribute, allowing browsers to attach them to cross-origin requests. An attacker who can lure an authenticated victim to a malicious page may issue forged state-changing requests that the server honors under the victim's identity, provided the application also lacks Anti-CSRF token validation - a condition the CVE description explicitly names as the decisive amplifying factor. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; real-world risk is further constrained by modern browser defaults (Chrome 80+ and Firefox apply SameSite=Lax by default), high attack complexity, and the required user interaction.

CSRF Information Disclosure Dfxanalytics
NVD VulDB
CVSS 2.6
LOW Monitor

Internal IP address exposure in HCL DFXAnalytics allows remote attackers who have obtained high-privilege authenticated access to harvest internal network topology details from generated server responses. The application embeds private IP addresses directly in its output, violating the CWE-200 information boundary and enabling attackers to map internal infrastructure for follow-on targeted attacks. No public exploit code exists and no active exploitation has been confirmed; the CVSS score of 2.6 reflects the significant access prerequisites that substantially limit real-world risk.

Information Disclosure Dfxanalytics
NVD VulDB
CVSS 2.6
LOW Monitor

Login replay vulnerability in HCL DFXAnalytics enables a remote attacker in a man-in-the-middle network position to capture and retransmit valid authentication messages, gaining unauthorized access as a legitimate user. The application lacks message-freshness enforcement - no timestamps or nonce mechanisms are applied to bound the validity window of authentication data, a design gap classified under CWE-294. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; the combination of high attack complexity and mandatory user interaction substantially limits realistic exploitation scope.

Authentication Bypass Dfxanalytics
NVD VulDB
CVSS 3.0
LOW Monitor

HCL DFXAnalytics fails to set the 'secure' attribute on session cookies generated during authentication, enabling a network-positioned attacker to capture session tokens transmitted in cleartext over unencrypted HTTP channels. Authenticated sessions are at risk when traffic traverses a path the attacker can observe, such as shared networks or HTTP downgrade scenarios. No public exploit code has been identified at time of analysis, and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

Information Disclosure Dfxanalytics
NVD VulDB
EPSS 0% CVSS 3.1
LOW Monitor

HCL DFXAnalytics relies on the obsolete X-XSS-Protection security header instead of implementing a modern Content Security Policy, allowing attackers with low privileges to potentially exploit browser-specific XSS protections or bypass intended security controls. The vulnerability requires high attack complexity and authenticated access, limiting practical exploitation but indicating security posture degradation in a production analytics platform.

XSS Dfxanalytics
NVD VulDB
EPSS 0% CVSS 3.1
LOW Monitor

HCL DFXAnalytics exposes detailed stack traces in application responses due to improper error handling, allowing authenticated remote attackers with low privileges to gain insights into the application's internal structure, code logic, and environment configurations. The vulnerability requires high attack complexity and produces limited confidentiality impact, resulting in a CVSS score of 3.1. No active exploitation or public exploit code has been identified at the time of analysis.

Information Disclosure Dfxanalytics
NVD VulDB
EPSS 0% CVSS 3.7
LOW Monitor

HCL DFXAnalytics transmits sensitive data over the network without encryption, allowing network-positioned attackers to intercept and read confidential information. The vulnerability requires high attack complexity (likely man-in-the-middle positioning) but affects all versions of the product when unencrypted channels are in use. No active exploitation has been reported, and the low CVSS score (3.7) reflects limited confidentiality impact with no integrity or availability compromise.

Information Disclosure Dfxanalytics
NVD VulDB
EPSS 0% CVSS 3.7
LOW Monitor

HCL DFXAnalytics contains unpatched third-party libraries with known vulnerabilities that could allow remote attackers with high effort to gain limited unauthorized access. The application fails to update or isolate vulnerable dependencies, potentially enabling exploitation of publicly disclosed security flaws in embedded components to bypass authentication or extract sensitive information.

Authentication Bypass Dfxanalytics
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

HCL DFXAnalytics fails to enforce strict Content-Security-Policy (CSP) directives for object-src and base-uri, enabling attackers to inject and execute arbitrary scripts through cross-site scripting (XSS) vectors without authentication or user interaction. This network-accessible vulnerability affects all versions and results in information disclosure with a CVSS score of 5.3; no active exploitation has been reported.

XSS Dfxanalytics
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy