Impact
The vulnerability in HCL iControl arises because the web application does not automatically terminate user sessions after inactivity, leaving idle sessions open for indefinite periods. This session‑management flaw (CWE‑613) permits an attacker to reuse an existing session token or capture traffic to hijack a session, potentially gaining unauthorized access or performing privileged actions that threaten the confidentiality and integrity of the application's data.
Affected Systems
The affected product is HCL Software’s iControl. No specific version information is provided, so the vulnerability may impact all releases of iControl until a patch removes the inadequate timeout behavior.
Risk and Exploitability
The CVSS score is 3.1, indicating low severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation evidence. The likely attack vector is a remote web attacker exploiting the web application session timeout flaw without requiring credentials. While the risk is considered low, an attacker who obtains a session token—potentially through social engineering, phishing, or traffic interception—could hijack an idle session. Organizations should treat this as a moderate exposure for sensitive environments.
OpenCVE Enrichment