7.5

CVE-2026-56458

HCL DevOps Deploy is susceptible to a Permissive Cross-domain Security Policy with Untrusted Domains

HCL DevOps Deploy uses Cross-Origin Resource Sharing (CORS) which could allow an attacker to carry out privileged actions and retrieve sensitive information as the domain name is not being limited to only trusted domains.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
HcltechswHcl Devops Deploy Version >= 8.1.0.0 < 8.1.2.7
HcltechswHcl Devops Deploy Version >= 8.2.0.0 < 8.2.2.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.23% 0.132
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
psirt@hcl.com 5.4 2.8 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains

The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131695
Vendor Advisory