Description
HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors.
Published: 2026-03-11
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Unrestricted framing
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from HCL Nomad server on Domino not configuring a default frame-ancestors directive in its Content‑Security‑Policy header. This omission allows an attacker to embed the server’s web pages in a frame or iframe on a malicious site, potentially leading to sensitive information exposure or other unspecified attack vectors. The weakness is identified as a missing security policy header, consistent with CWE‑1021 (Missing Expected Control Path).

Affected Systems

The affected product is HCLSoftware’s Nomad server on Domino. No specific product version is listed in the CNA data, so the issue may apply to all releases of this product until a fix is issued.

Risk and Exploitability

The CVSS score of 3.7 indicates a low severity. The EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. An attacker would need to serve a malicious page that frames the Nomad server, leveraging the missing frame‑ancestors directive. Given the low severity and exploit probability, the risk is moderate but mitigable.

Generated by OpenCVE AI on March 17, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check HCL software website or support portal for a patch or update that adds the missing frame‑ancestors directive to the CSP header.
  • If a vendor fix is unavailable, manually add a frame‑ancestors policy to the web server’s CSP header, such as: frame-ancestors 'none'; or restrict to trusted domains.
  • Consider implementing additional defenses like the X‑Frame‑Options header or disabling framing at the application level.
  • Monitor for future advisories and update the server accordingly.

Generated by OpenCVE AI on March 17, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech nomad Server On Domino
Vendors & Products Hcltech
Hcltech nomad Server On Domino

Wed, 11 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors.
Title HCL Nomad server on Domino is affected by a missing default frame-ancestors directive
Weaknesses CWE-1021
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hcltech Nomad Server On Domino
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-03-12T17:43:19.489Z

Reserved: 2025-10-10T09:04:23.570Z

Link: CVE-2025-62328

cve-icon Vulnrichment

Updated: 2026-03-12T17:43:15.392Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T22:16:19.933

Modified: 2026-03-12T21:08:22.643

Link: CVE-2025-62328

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:46Z

Weaknesses