Description
A Stored cross-site scripting (XSS) vulnerability affects HCL Unica Marketing Operations v12.1.8 and lower.  Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
Published: 2026-03-19
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) leading to potential defacement and data theft
Action: Apply patch
AI Analysis

Impact

A Stored cross‑site scripting (XSS) vulnerability allows an attacker to submit malicious script that is later rendered in HTTP responses, enabling the attacker to deface pages or steal data via the victim’s browser. The vulnerability is identified as CWE‑79 and can result in confidentiality, integrity, and availability impacts through session hijacking, credential theft, or execution of arbitrary client‑side code.

Affected Systems

HCL Software: Unica Marketing Operations (Plan) version 12.1.8 and earlier. The affected product is listed with the CPE cpe:2.3:a:hcltech:unica:*:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score of 7.6 classifies the issue as high. EPSS indicates a likelihood of exploitation of less than 1%, and the vulnerability is not currently listed in CISA’s KEV catalog. Based on the description, the likely attack vector is server‑side data input that is stored and later served to users; exploitation requires the ability to input data and for other users to view the affected content.

Generated by OpenCVE AI on March 19, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a non‑vulnerable version of HCL Unica Marketing Operations (any release after 12.1.8) or apply the vendor’s patch if available
  • If upgrading is not immediately possible, restrict or sanitize all user‑supplied input that is stored and displayed, ensuring any HTML or script content is properly encoded or stripped
  • Implement a Content Security Policy (CSP) that limits script execution and reduces the impact of any stored script that escapes validation

Generated by OpenCVE AI on March 19, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
References

Thu, 19 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech unica
CPEs cpe:2.3:a:hcltech:unica:*:*:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech unica

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description A Stored cross-site scripting (XSS) vulnerability affects HCL Unica Marketing Operations v12.1.8 and lower.  Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
Title HCL Unica Marketing Operations v12.1.8 and lower is affected by a Stored cross-site scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Hcltech Unica
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-03-23T13:50:36.585Z

Reserved: 2024-07-29T21:32:16.370Z

Link: CVE-2024-42210

cve-icon Vulnrichment

Updated: 2026-03-23T13:50:36.585Z

cve-icon NVD

Status : Modified

Published: 2026-03-19T08:16:18.700

Modified: 2026-03-23T14:16:28.747

Link: CVE-2024-42210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:15:40Z

Weaknesses