Description
HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user's session and use it carry out unauthorized transaction behalf of the user.
Published: 2026-03-26
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking enabling unauthorized transactions
Action: Patch
AI Analysis

Impact

A session fixation flaw exists in HCL Aftermarket DPC that lets an attacker force a valid session identifier onto a target user, subsequently using that session to perform transactions without the user’s consent.

Affected Systems

The vulnerability affects HCL Aftermarket DPC, version 1.0.0 as identified by the associated CPE string.

Risk and Exploitability

The CVSS score of 5.9 indicates a medium impact, but the lack of a publicly available exploit mitigates urgency. Since EPSS data is not provided and the vulnerability is not listed in the CISA KEV catalog, exploitation likelihood appears lower. However, the attack vector is likely remote via a crafted URL or form submission that sets the session ID before authentication, making the flaw exploitable by anyone who can deliver such a request.

Generated by OpenCVE AI on March 26, 2026 at 21:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a non‑vulnerable version of HCL Aftermarket DPC
  • Follow the guidance detailed in HCL’s support article KB0129793 to ensure session identifiers are not accepted from untrusted sources
  • Verify that session cookies are only established after successful authentication and that session identifiers cannot be pre‑set by external input

Generated by OpenCVE AI on March 26, 2026 at 21:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcl
Hcl aftermarket Dpc
Vendors & Products Hcl
Hcl aftermarket Dpc

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech aftermarket Cloud
CPEs cpe:2.3:a:hcltech:aftermarket_cloud:1.0.0:*:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech aftermarket Cloud

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user's session and use it carry out unauthorized transaction behalf of the user.
Title HCL Aftermarket DPC is affected by Session Fixation
Weaknesses CWE-384
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:L'}

Subscriptions

Hcl Aftermarket Dpc
Hcltech Aftermarket Cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-03-26T15:01:00.585Z

Reserved: 2025-08-12T06:59:56.644Z

Link: CVE-2025-55266

cve-icon Vulnrichment

Updated: 2026-03-26T13:39:34.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T13:16:25.800

Modified: 2026-03-26T20:35:39.043

Link: CVE-2025-55266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:27Z

Weaknesses