Description
HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.
Published: 2026-06-04
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the application omits critical cookie attributes, notably Secure and SameSite, and sets the cookie path to the root. This enables an attacker to capture session identifiers over unencrypted connections or forge requests from cross‑site contexts, potentially allowing session takeover or unauthorized actions within the application.

Affected Systems

The issue affects HCL iControl. No specific version information is disclosed in the data provided.

Risk and Exploitability

With a CVSS score of 3.1, the severity is considered low, and the EPSS score is not available, indicating a relatively low immediate exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through standard web traffic where the missing Secure flag permits sniffing, and the missing SameSite flag permits cross‑site request forgery. Exploitation would require only access to the application’s domain or network traffic, making it an opportunistic risk rather than a highly orchestrated exploit.

Generated by OpenCVE AI on June 4, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or update to a version that sets Missing Cookie Attributes correctly
  • If a patch is unavailable, enforce HTTPS for all traffic and configure the application to set 'Secure' and appropriate 'SameSite' (Lax or Strict) attributes for all session cookies
  • Ensure the cookie path is properly set to the intended application scope rather than the root, and verify the configuration through a security scan or manual audit

Generated by OpenCVE AI on June 4, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech icontrol
CPEs cpe:2.3:a:hcltech:icontrol:4.0.0:*:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech icontrol

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.
Title HCL iControl was affected by Missing Cookie Attributes vulnerability.
Weaknesses CWE-614
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Hcltech Icontrol
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-06-04T13:08:14.806Z

Reserved: 2025-06-18T14:00:38.418Z

Link: CVE-2025-52608

cve-icon Vulnrichment

Updated: 2026-06-04T13:08:10.526Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T12:16:23.710

Modified: 2026-06-04T18:38:35.920

Link: CVE-2025-52608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:15Z

Weaknesses
  • CWE-614

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute