CVE-2023-28009
HCL Workload Automation is vulnerable to XML External Entity (XXE) Injection
In short
HCL Workload Automation can be tricked into processing malicious XML files that reference external entities, allowing an attacker to steal sensitive data or crash the system by consuming excessive memory.
Technical detail
An XXE injection vulnerability exists in HCL Workload Automation's XML parser that fails to disable external entity resolution. A remote, unauthenticated attacker can send crafted XML payloads to expose sensitive files (information disclosure) or trigger denial of service through billion laughs/XML bomb attacks. No special privileges or user interaction required.
Summary generated and translated by AI from the official description.
HCL Workload Automation is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
HCL Software · Workload AutomationWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →