An XML External Entity (XXE) Injection Vulnerability affects HCL Unica Platform
CVE-2023-37497

8.1HIGH

Key Information:

Vendor: Hcl Software
Status: Hcl Unica Platform
Vendor: CVE Published:; 3 August 2023

Summary

The HCL Unica application features an application programming interface (API) that unintentionally permits the processing of arbitrary XML input. By cleverly crafting and submitting XML payloads, an authenticated attacker with appropriate privileges can exploit this vulnerability to execute XML External Entity (XXE) attacks, leading to potential exposure of sensitive data, server-side request forgery (SSRF), and other security risks to the backend services.

Affected Version(s)

HCL Unica Platform < 11.1.0.6, <12.1.1

References

https://support.hcltechsw.com/csm?id=kb_article&sysparm_a...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 3, 2023
Vulnerability Reserved
Jul 6, 2023