Skip to main content

Icontrol

6 CVEs product

Monthly

CVE-2025-62340 MEDIUM This Month

HCL iControl's web interface fails to automatically expire user sessions after inactivity, leaving authenticated session tokens valid indefinitely until explicit logout. An attacker who obtains a valid session token - through interception or unattended browser access - can reuse it to access the application and read data. CVSS rates this Low (3.1) reflecting high attack complexity and limited confidentiality impact; no public exploit exists and the vulnerability is not listed in CISA KEV.

Information Disclosure Icontrol
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-52612 HIGH This Week

CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Export CSV feature and reflected parameters. An attacker who can lure an authenticated user to click a crafted link can execute script in the victim's browser session or inject formula payloads into exported CSV files that execute when opened in spreadsheet applications. No public exploit identified at time of analysis; the issue carries a CVSS 7.1 (High) rating driven largely by user-interaction and low-privilege requirements.

XSS Icontrol
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52611 LOW Monitor

Stack trace disclosure in HCL iControl v4.0.0 exposes internal application details to authenticated remote attackers via unhandled JavaScript exceptions. The application fails to catch a runtime error when attempting to read the 'dashboard' key from an undefined object, returning a full stack trace to the requesting client. No public exploit exists and no active exploitation has been observed; CVSS scores this Low (3.1), reflecting strictly limited confidentiality impact with no integrity or availability consequences.

Information Disclosure Icontrol
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-52609 LOW Monitor

Missing HTTP security response headers in HCL iControl fail to instruct client browsers to engage their built-in XSS filtering mechanisms, creating an exploitable gap classified under CWE-693 (Protection Mechanism Failure). The flaw is network-accessible and requires no authentication (PR:N per CVSS), but carries a CVSS 3.7 Low score due to high attack complexity (AC:H) and limited integrity-only impact (I:L). No public exploit code exists and this vulnerability is not listed in CISA KEV, placing it in the compliance/hardening category rather than immediate critical risk.

XSS Icontrol
NVD
CVSS 3.1
3.7
EPSS
0.1%
CVE-2025-52608 LOW Monitor

HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to root, enabling network-adjacent attackers with authenticated sessions to perform limited integrity modifications under high-complexity conditions. The missing Secure attribute allows cookies to be transmitted over unencrypted HTTP channels, while the absent SameSite attribute opens a cross-site request forgery vector. CVSS scores this at 3.1 (Low); no public exploit code exists and it is not listed in CISA KEV.

Information Disclosure Icontrol
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-52606 MEDIUM This Month

Weak input validation in HCL iControl allows authenticated remote attackers to submit input of an unexpected type, resulting in limited integrity impact against the target system. The vulnerability stems from an implementation deficiency in an architectural security tactic - specifically, the application's failure to correctly validate received input against its expected type. No public exploit code exists and no active exploitation has been confirmed; however, the low-complexity, network-accessible attack vector lowers the bar for authenticated users to abuse this flaw.

Information Disclosure Icontrol
NVD
CVSS 3.1
4.3
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM This Month

HCL iControl's web interface fails to automatically expire user sessions after inactivity, leaving authenticated session tokens valid indefinitely until explicit logout. An attacker who obtains a valid session token - through interception or unattended browser access - can reuse it to access the application and read data. CVSS rates this Low (3.1) reflecting high attack complexity and limited confidentiality impact; no public exploit exists and the vulnerability is not listed in CISA KEV.

Information Disclosure Icontrol
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Week

CSV injection and reflected cross-site scripting affect HCL iControl due to insufficient input sanitization in the Export CSV feature and reflected parameters. An attacker who can lure an authenticated user to click a crafted link can execute script in the victim's browser session or inject formula payloads into exported CSV files that execute when opened in spreadsheet applications. No public exploit identified at time of analysis; the issue carries a CVSS 7.1 (High) rating driven largely by user-interaction and low-privilege requirements.

XSS Icontrol
NVD
EPSS 0% CVSS 3.1
LOW Monitor

Stack trace disclosure in HCL iControl v4.0.0 exposes internal application details to authenticated remote attackers via unhandled JavaScript exceptions. The application fails to catch a runtime error when attempting to read the 'dashboard' key from an undefined object, returning a full stack trace to the requesting client. No public exploit exists and no active exploitation has been observed; CVSS scores this Low (3.1), reflecting strictly limited confidentiality impact with no integrity or availability consequences.

Information Disclosure Icontrol
NVD
EPSS 0% CVSS 3.7
LOW Monitor

Missing HTTP security response headers in HCL iControl fail to instruct client browsers to engage their built-in XSS filtering mechanisms, creating an exploitable gap classified under CWE-693 (Protection Mechanism Failure). The flaw is network-accessible and requires no authentication (PR:N per CVSS), but carries a CVSS 3.7 Low score due to high attack complexity (AC:H) and limited integrity-only impact (I:L). No public exploit code exists and this vulnerability is not listed in CISA KEV, placing it in the compliance/hardening category rather than immediate critical risk.

XSS Icontrol
NVD
EPSS 0% CVSS 3.1
LOW Monitor

HCL iControl exposes session cookies without the Secure or SameSite attributes set, and with the cookie path scoped to root, enabling network-adjacent attackers with authenticated sessions to perform limited integrity modifications under high-complexity conditions. The missing Secure attribute allows cookies to be transmitted over unencrypted HTTP channels, while the absent SameSite attribute opens a cross-site request forgery vector. CVSS scores this at 3.1 (Low); no public exploit code exists and it is not listed in CISA KEV.

Information Disclosure Icontrol
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Weak input validation in HCL iControl allows authenticated remote attackers to submit input of an unexpected type, resulting in limited integrity impact against the target system. The vulnerability stems from an implementation deficiency in an architectural security tactic - specifically, the application's failure to correctly validate received input against its expected type. No public exploit code exists and no active exploitation has been confirmed; however, the low-complexity, network-accessible attack vector lowers the bar for authenticated users to abuse this flaw.

Information Disclosure Icontrol
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy