CVE-2025-52628
HCL AION is susceptible to Missing SameSite vulnerability
In short
HCL AION 2.0 doesn't properly protect cookies from being sent in cross-site requests, which can allow attackers to trick users into performing unwanted actions on their accounts.
Technical detail
The application fails to set the SameSite attribute on cookies, allowing them to be transmitted in cross-site requests. This enables Cross-Site Request Forgery (CSRF) attacks where an attacker can forge requests on behalf of authenticated users. The vulnerability affects AION 2.0 and requires user interaction through a malicious third-party site.
Summary generated and translated by AI from the official description.
HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L
Affected products
HCL · AIONWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →