HCL Workload Automation is vulnerable to XML External Entity (XXE) Injection
CVE-2023-28008

8.1HIGH

Key Information:

Vendor: HCL Software
Status: Workload Automation
Vendor: CVE Published:; 26 April 2023

Summary

HCL Workload Automation versions 9.4, 9.5, and 10.1 are susceptible to an XML External Entity Injection (XXE) vulnerability during XML data processing. This issue allows remote attackers to exploit the vulnerability, potentially leading to the disclosure of sensitive information or excessive consumption of memory resources. Proper validation and sanitization of XML inputs are crucial to mitigate the associated risks.

Affected Version(s)

Workload Automation <=9.5.0.6, 10.1.0.0

References

https://support.hcltechsw.com/csm?id=kb_article&sysparm_a...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 26, 2023
Vulnerability Reserved
Mar 10, 2023