Description
HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .
Published: 2026-06-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows attackers to insert malicious payloads into CSV files exported from HCL iControl due to insufficient sanitation of user input. When a victim opens the generated CSV in a spreadsheet or web application that interprets the content without proper escaping, the injected script can run in the victim’s browser, potentially stealing session cookies, injecting malicious data, or defacing the application. The vulnerability is a classic example of reflected XSS manifested through CSV output.

Affected Systems

HCL iControl is impacted. The data set does not specify a vulnerable version, so any installation applying the affected code path should be reviewed and updated.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity flaw, although the EPSS score is unavailable, making the probability of exploitation uncertain. It is not tracked in the CISA KEV catalog. Attackers could exploit the flaw by crafting a CSV export request that includes malicious content. The vulnerability is accessed through normal user interaction with the export functionality; it requires that a victim open the resulting CSV file in a client that will process the injected content.

Generated by OpenCVE AI on June 4, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official HCL iControl patch that sanitizes input used in CSV export.
  • If a patch is not yet available, disable or limit the CSV export feature to trusted users only.
  • Add server‑side validation or escaping to all user‑supplied data that is written to CSV files to prevent injected formulas or scripts.

Generated by OpenCVE AI on June 4, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech icontrol
CPEs cpe:2.3:a:hcltech:icontrol:4.0.0:*:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech icontrol

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Description HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .
Title HCL iControl was affected by Export CSV - CSV Injection vulnerability.
Weaknesses CWE-1236
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Hcltech Icontrol
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-06-04T13:19:36.171Z

Reserved: 2025-06-18T14:00:40.356Z

Link: CVE-2025-52612

cve-icon Vulnrichment

Updated: 2026-06-04T13:19:30.581Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-04T12:16:24.137

Modified: 2026-06-04T18:32:57.720

Link: CVE-2025-52612

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T10:08:20Z

Weaknesses
  • CWE-1236

    Improper Neutralization of Formula Elements in a CSV File