Description
HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS)
Published: 2026-05-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an insecure security‑header configuration: the Content‑Security‑Policy header in HCL DFXAnalytics does not define strict directives for object‑src and base‑uri. This omission permits an attacker to embed malicious scripts through cross‑site scripting vectors, potentially enabling the execution of unauthorized JavaScript in the active session of legitimate users. The attack could result in theft of session tokens, manipulation of page content, or arbitrary code execution in the context of the user"s privileges.

Affected Systems

The affected vendor is HCL and the product is DFXAnalytics. No specific product version or build information was supplied in the advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of < 1% reflects a very low but nonzero probability that the vulnerability will be exploited. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is a web‑browser interface, requiring an attacker to provoke a legitimate user to load a malicious URL or embed hostile content within the application. Exploitation would involve client‑side code injection, which could lead to compromise of the victim’s session and data.

Generated by OpenCVE AI on May 7, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available HCL patch or update that enforces strict CSP directives for object‑src and base‑uri.
  • If a patch is not yet released, modify the CSP header to include "object-src none" and "base-uri self" to restrict loading of external objects and navigation.
  • Conduct a comprehensive audit of all HTTP security headers to identify similar misconfigurations and remediate them.

Generated by OpenCVE AI on May 7, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcl
Hcl dfxanalytics
Vendors & Products Hcl
Hcl dfxanalytics

Thu, 07 May 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech dfxanalytics
Weaknesses CWE-79
CPEs cpe:2.3:a:hcltech:dfxanalytics:*:*:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech dfxanalytics

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 10:45:00 +0000

Type Values Removed Values Added
Description HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS)
Title HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability
Weaknesses CWE-358
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hcl Dfxanalytics
Hcltech Dfxanalytics
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-07T13:09:17.233Z

Reserved: 2025-04-01T18:46:23.152Z

Link: CVE-2025-31970

cve-icon Vulnrichment

Updated: 2026-05-06T14:12:55.591Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-06T11:16:03.650

Modified: 2026-05-07T19:58:05.827

Link: CVE-2025-31970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T22:45:24Z

Weaknesses