cnvd - cnvd-2025-25463

CNVD-2025-25463

Vulnerability from cnvd - Published: 2025-10-28

Title

HCL MyXalytics存在未明漏洞

Description

HCL MyXalytics是印度HCL公司的一款分析类软件产品。用于进行数据分析等相关工作。 HCL MyXalytics存在安全漏洞，该漏洞源于加载第三方脚本时未进行完整性检查或验证，攻击者可利用该漏洞导致外部代码在应用程序环境中运行，存在数据泄露风险。

Severity

低

Patch Name

HCL MyXalytics存在未明漏洞的补丁

Patch Description

HCL MyXalytics是印度HCL公司的一款分析类软件产品。用于进行数据分析等相关工作。 HCL MyXalytics存在安全漏洞，该漏洞源于加载第三方脚本时未进行完整性检查或验证，攻击者可利用该漏洞导致外部代码在应用程序环境中运行，存在数据泄露风险。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124411

Reference

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124411

Impacted products

Name
HCL HCL MyXalytics 6.6

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-52655",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-52655"
    }
  },
  "description": "HCL MyXalytics\u662f\u5370\u5ea6HCL\u516c\u53f8\u7684\u4e00\u6b3e\u5206\u6790\u7c7b\u8f6f\u4ef6\u4ea7\u54c1\u3002\u7528\u4e8e\u8fdb\u884c\u6570\u636e\u5206\u6790\u7b49\u76f8\u5173\u5de5\u4f5c\u3002\n\nHCL MyXalytics\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u52a0\u8f7d\u7b2c\u4e09\u65b9\u811a\u672c\u65f6\u672a\u8fdb\u884c\u5b8c\u6574\u6027\u68c0\u67e5\u6216\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u5916\u90e8\u4ee3\u7801\u5728\u5e94\u7528\u7a0b\u5e8f\u73af\u5883\u4e2d\u8fd0\u884c\uff0c\u5b58\u5728\u6570\u636e\u6cc4\u9732\u98ce\u9669\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124411",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-25463",
  "openTime": "2025-10-28",
  "patchDescription": "HCL MyXalytics\u662f\u5370\u5ea6HCL\u516c\u53f8\u7684\u4e00\u6b3e\u5206\u6790\u7c7b\u8f6f\u4ef6\u4ea7\u54c1\u3002\u7528\u4e8e\u8fdb\u884c\u6570\u636e\u5206\u6790\u7b49\u76f8\u5173\u5de5\u4f5c\u3002\r\n\r\nHCL MyXalytics\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u52a0\u8f7d\u7b2c\u4e09\u65b9\u811a\u672c\u65f6\u672a\u8fdb\u884c\u5b8c\u6574\u6027\u68c0\u67e5\u6216\u9a8c\u8bc1\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5bfc\u81f4\u5916\u90e8\u4ee3\u7801\u5728\u5e94\u7528\u7a0b\u5e8f\u73af\u5883\u4e2d\u8fd0\u884c\uff0c\u5b58\u5728\u6570\u636e\u6cc4\u9732\u98ce\u9669\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "HCL MyXalytics\u5b58\u5728\u672a\u660e\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "HCL HCL MyXalytics 6.6"
  },
  "referenceLink": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124411",
  "serverity": "\u4f4e",
  "submitTime": "2025-10-21",
  "title": "HCL MyXalytics\u5b58\u5728\u672a\u660e\u6f0f\u6d1e"
}

CVE-2025-52655 (GCVE-0-2025-52655)

Vulnerability from cvelistv5 – Published: 2025-10-10 08:55 – Updated: 2025-10-10 13:46

Title

HCL MyXalytics is affected by a Cross-Domain Script Include vulnerability.

Summary

Inclusion of Functionality from Untrusted Control Sphere vulnerability in HCL MyXalytics. v6.6 allows Loading third-party scripts without integrity checks or validation can allow external code run in the application's context, risking data exposure.

Severity ?

3.1 (Low)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

Assigner

HCL

References

URL

Tags

https://support.hcl-software.com/csm?id=kb_articl…

Impacted products

	Vendor	Product	Version
	HCL	HCL MyXalytics	Affected: 6.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-52655",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-10T13:46:09.371910Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-10T13:46:15.359Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "HCL MyXalytics",
          "vendor": "HCL",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Inclusion of Functionality from Untrusted Control Sphere vulnerability in HCL MyXalytics. v6.6\u003cbr\u003eallows Loading third-party scripts without integrity checks or validation can allow external code run in the application\u0027s context, risking data exposure."
            }
          ],
          "value": "Inclusion of Functionality from Untrusted Control Sphere vulnerability in HCL MyXalytics. v6.6\nallows Loading third-party scripts without integrity checks or validation can allow external code run in the application\u0027s context, risking data exposure."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-829",
              "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-10-10T08:55:40.033Z",
        "orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
        "shortName": "HCL"
      },
      "references": [
        {
          "url": "https://support.hcl-software.com/csm?id=kb_article\u0026sysparm_article=KB0124411"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "As a part of HCL MyXalytics v6.7, these issues have been remediated. For customers using older versions, the mitigation path will include upgrade to version 6.7 which in turn will fix the vulnerabilities during upgrade process. For fix implementation, our HCL MyXalytics support team will provide required the assistance.\n\n\u003cbr\u003e"
            }
          ],
          "value": "As a part of HCL MyXalytics v6.7, these issues have been remediated. For customers using older versions, the mitigation path will include upgrade to version 6.7 which in turn will fix the vulnerabilities during upgrade process. For fix implementation, our HCL MyXalytics support team will provide required the assistance."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "HCL MyXalytics is affected by a Cross-Domain Script Include vulnerability.",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc",
    "assignerShortName": "HCL",
    "cveId": "CVE-2025-52655",
    "datePublished": "2025-10-10T08:55:40.033Z",
    "dateReserved": "2025-06-18T14:03:06.891Z",
    "dateUpdated": "2025-10-10T13:46:15.359Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-25463

CVE-2025-52655 (GCVE-0-2025-52655)

Tags

Sightings

Nomenclature