Description
HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers.
Published: 2026-06-04
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HCL iControl omitted critical HTTP security headers, causing modern browsers to rely on their built‑in XSS protection. This creates a cross‑site scripting flaw that permits an attacker to inject scripts into pages served by the application. The vulnerability does not directly compromise data confidentiality or integrity, but it enables attackers to execute arbitrary JavaScript in the victim’s browser, which can lead to session hijacking or credential theft.

Affected Systems

The issue is present in all installations of the HCL iControl product that do not ship the missing headers. No specific version numbers are listed, so any deployed instance is potentially vulnerable until a patch or configuration fix is applied.

Risk and Exploitability

The CVSS score of 3.7 classifies the flaw as low‑to‑moderate in severity. EPSS data is not available, and the vulnerability is not included in the CISA KEV catalog, indicating no confirmed exploitation in the wild. The likely attack vector is an unauthenticated or authenticated access to the web interface that serves content from iControl; since security headers are absent, browsers cannot apply mitigations, making exploitation relatively straightforward for an attacker who can supply crafted input. This assessment is inferred from the description and the nature of missing headers.

Generated by OpenCVE AI on June 4, 2026 at 13:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑released patch or update for HCL iControl that adds the appropriate HTTP security headers.
  • Configure the web server or application to emit headers such as X‑Content‑Type‑Options, X‑XSS‑Protection, and Content‑Security‑Policy to enforce browser‑side defenses.
  • Implement comprehensive input validation and output encoding throughout the application to prevent injected script execution.

Generated by OpenCVE AI on June 4, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech icontrol
CPEs cpe:2.3:a:hcltech:icontrol:4.0.0:*:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech icontrol

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers.
Title HCL iControl was affected by Missing Security Headers vulnerability.
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Hcltech Icontrol
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-06-04T13:17:17.034Z

Reserved: 2025-06-18T14:00:38.418Z

Link: CVE-2025-52609

cve-icon Vulnrichment

Updated: 2026-06-04T13:17:13.808Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T12:16:23.880

Modified: 2026-06-04T18:34:41.517

Link: CVE-2025-52609

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:17Z

Weaknesses
  • CWE-693

    Protection Mechanism Failure