Description
HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS)
Published: 2026-05-06
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HCL DFXAnalytics suffers from an insecure Security‑Header configuration: the Content‑Security‑Policy header omits strict directives for object-src and base-uri. This omission permits attackers to inject malicious scripts via cross‑site scripting vectors, potentially enabling the execution of unauthorized JavaScript in the context of legitimate users. The consequence could be compromise of user session data, theft of sensitive information, or defacement of displayed content.

Affected Systems

The affected vendor is HCL, product DFXAnalytics. No specific version information was supplied in the advisory.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. While no EPSS score is available, the vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is web‑browser based, requiring an attacker to compel a user to load a malicious URL or content within the application. Exploitation would involve client‑side code injection, which could lead to privilege escalation if the victim has administrative privileges within the system.

Generated by OpenCVE AI on May 6, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official HCL patch that enforces strict CSP directives for object-src and base-uri.
  • If a patch is not yet available, modify the CSP header to include object-src none; and base-uri self; to restrict unwarranted content.
  • Perform a comprehensive audit of all HTTP security headers to identify and remediate similar misconfigurations.

Generated by OpenCVE AI on May 6, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 10:45:00 +0000

Type Values Removed Values Added
Description HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability where the Content-Security-Policy does not define strict directives for object-src and base-uri, which could allow an attacker to exploit injection vectors such as Cross-Site Scripting (XSS)
Title HCL DFXAnalytics is affected by an Insecure Security Header configuration vulnerability
Weaknesses CWE-358
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-06T10:22:41.866Z

Reserved: 2025-04-01T18:46:23.152Z

Link: CVE-2025-31970

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T11:16:03.650

Modified: 2026-05-06T11:16:03.650

Link: CVE-2025-31970

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T11:30:26Z

Weaknesses