CVE-2025-31952
BaseFortify
Publication date: 2025-07-24
Last updated on: 2025-10-10
Assigner: HCL Software
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hcltech | dryice_iautomate | 6.5.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in HCL iAutomate is due to insufficient session expiration, meaning that authentication tokens do not expire automatically and remain valid indefinitely unless they are manually revoked. This flaw increases the risk that unauthorized users could gain access by using these long-lived tokens.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access because tokens remain valid indefinitely. If an attacker obtains a token, they could use it to access the system without restriction, potentially compromising sensitive data or system integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should manually revoke any active tokens to ensure they do not remain valid indefinitely. Additionally, implement policies or configurations to enforce session expiration and token invalidation after a certain period to reduce the risk of unauthorized access.