CVE-2023-28008
HCL Workload Automation is vulnerable to XML External Entity (XXE) Injection
In short
HCL Workload Automation improperly processes XML files, allowing attackers to read sensitive data or crash the system by injecting malicious XML code. This happens because the software doesn't safely handle external entities in XML documents.
Technical detail
XXE injection vulnerability in HCL Workload Automation 9.4, 9.5, and 10.1 allows remote attackers to exploit unsafe XML parsing. Attack vectors include XML entity expansion (billion laughs) for denial of service and external entity references for information disclosure; no authentication is required. Impact includes unauthorized access to sensitive files and system resource exhaustion.
Summary generated and translated by AI from the official description.
HCL Workload Automation 9.4, 9.5, and 10.1 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Affected products
HCL Software · Workload AutomationWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →