Description
HCL Aftermarket DPC is affected by Cross Domain Script Include vulnerability where an attacker using external scripts can tamper with the DOM, altering the content or behavior of the application. Malicious scripts can steal cookies or session tokens, leading to session hijacking.
Published: 2026-03-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Session hijacking
Action: Patch now
AI Analysis

Impact

A cross‑domain script include flaw in HCL Aftermarket DPC lets an attacker supply or host malicious external scripts that the application loads. Once executed, the script can alter the Document Object Model, enabling the theft of cookies or session tokens and resulting in the hijacking of user sessions. The vulnerability disrupts the confidentiality and integrity of session state and permits unauthorized access to user data.

Affected Systems

The affected product is HCL Aftermarket DPC, version 1.0.0. No other vendors or products were listed as impacted by this entry.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate severity. An EPSS score is not available and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector relies on an attacker hosting or supplying external scripts that the application includes, allowing the malicious code to read cookies or other sensitive data. Exploitation requires the attacker to provide a suitable script and get the application to load it; once executed, session hijacking occurs without direct server‑side code execution.

Generated by OpenCVE AI on March 26, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch or upgrade to a fixed version of HCL Aftermarket DPC as soon as it becomes available.
  • If a patch is not yet released, configure the application to reject cross‑domain script includes or enforce a strict Content Security Policy that limits script sources to the local origin.
  • Configure session cookies with the Secure, HttpOnly, and SameSite attributes to reduce the risk of token theft.
  • Monitor application logs and network traffic for anomalous script loading or unexpected DOM modifications.

Generated by OpenCVE AI on March 26, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Hcl
Hcl aftermarket Dpc
Vendors & Products Hcl
Hcl aftermarket Dpc

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech aftermarket Cloud
CPEs cpe:2.3:a:hcltech:aftermarket_cloud:1.0.0:*:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech aftermarket Cloud

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description HCL Aftermarket DPC is affected by Cross Domain Script Include vulnerability where an attacker using external scripts can tamper with the DOM, altering the content or behavior of the application. Malicious scripts can steal cookies or session tokens, leading to session hijacking.
Title HCL Aftermarket DPC is affected by Cross Domain Script Include vulnerability
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Hcl Aftermarket Dpc
Hcltech Aftermarket Cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-03-26T15:01:54.300Z

Reserved: 2025-08-12T07:00:17.741Z

Link: CVE-2025-55273

cve-icon Vulnrichment

Updated: 2026-03-26T13:42:38.264Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T13:16:26.883

Modified: 2026-03-26T20:30:24.353

Link: CVE-2025-55273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:28:34Z

Weaknesses