Business Logic Vulnerability in HCL Aftermarket EPC Software
CVE-2024-23564

9.1CRITICAL

Key Information:

Vendor
CVE Published:
17 July 2026

What is CVE-2024-23564?

HCL Aftermarket EPC is vulnerable to a business logic issue that allows an unauthorized user to exploit the application by extracting passwords from the server. By manipulating server responses, an attacker can redirect the retrieved passwords to their own email address. Although initial user validation checks are performed for UserId, similar controls are lacking for email-based password retrieval requests, leading to this security flaw.

Affected Version(s)

Aftermarket EPC version 1.0.0

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.