HCL DFXAnalytics suffers from an insecure security header configuration. The application still sends the obsolete X‑XSS‑Protection header, which does not prevent modern browser‑based rendering flaws or allow cross‑site scripting injection in the absence of a proper Content Security Policy. This weakness can enable an attacker to deliver malicious scripts that execute in a victim’s browser, compromising confidentiality, integrity, or availability of web content.

The affected product is HCL DFXAnalytics. No specific version range is provided in the CNA data, so all deployments using this product should be inspected for the legacy X‑XSS‑Protection header and for the presence of a CSP header. The vulnerability is vendor‑specific to HCL DFXAnalytics and does not affect other HCL or third‑party applications.

The CVSS score of 3.1 classifies this issue as low‑severity, and the EPSS score of 0.00029 indicates a very low probability that this vulnerability will be actively exploited. The vulnerability has not been listed in the CISA KEV catalog. Exploitation requires a web‑application user to interact with a crafted page that triggers the fallback behavior of the obsolete header or to supply input that the application renders unsanitized. Based on the description, the likely attack vector is local to the web browser, meaning that a user visiting a malicious page could trigger the flaw without additional authentication. The risk remains low, though missing security controls could be leveraged for XSS attacks.