6.1

CVE-2025-62320

HTML Injection Leading to Data Exfiltration to External Server vulnerability affects HCL Unica Platform

HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the user’s browser.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HcltechUnica Version < 12.1.11
HcltechUnica Version >= 25.1.0 < 25.1.1.0.1
HcltechUnica Audience Central Version < 12.1.11
HcltechUnica Audience Central Version >= 25.1.0 < 25.1.1.0.1
HcltechUnica Campaign Version < 12.1.11
HcltechUnica Campaign Version >= 25.1.0 < 25.1.1.0.1
HcltechUnica Centralised Offer Management Version >= 25.1.0 < 25.1.1.0.1
HcltechUnica Contact Central Version < 12.1.11
HcltechUnica Contact Central Version >= 25.1.0 < 25.1.1.0.1
HcltechUnica Interact Version < 12.1.11
HcltechUnica Interact Version >= 25.1.0 < 25.1.1.0.1
HcltechUnica Journey Version < 12.1.11
HcltechUnica Journey Version >= 25.1.0 < 25.1.1.0.1
HcltechUnica Plan Version < 12.1.11
HcltechUnica Plan Version >= 25.1.0 < 25.1.1.0.1
HcltechUnica Segment Central Version < 12.1.11
HcltechUnica Segment Central Version >= 25.1.0 < 25.1.1.0.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.104
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
psirt@hcl.com 4.7 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.