CVE-2025-52628
Insecure SameSite Cookie in HCL AION 2.0 Enables CSRF
Publication date: 2026-02-03
Last updated on: 2026-04-25
Assigner: HCL Software
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hcltech | aion | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1275 | The SameSite attribute for sensitive cookies is not set, or an insecure value is used. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in HCL AION involves cookies that have insecure, improper, or missing SameSite attributes. This means that cookies can be sent along with cross-site requests, which should normally be restricted. As a result, this increases the risk of cross-site request forgery (CSRF) attacks and other related security issues.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform cross-site request forgery attacks by exploiting cookies sent in cross-site requests. This can lead to unauthorized actions being performed on behalf of a user, potentially compromising the integrity and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know