CVE-2025-52608
HCL iControl Missing Cookie Attributes Vulnerability
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: HCL Software
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hcl | icontrol | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-614 | The Secure attribute for sensitive cookies in HTTPS sessions is not set. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves missing critical cookie attributes such as Secure and SameSite in HCL iControl, which can lead to security weaknesses in cookie handling.
While the CVE description does not explicitly mention compliance impacts, missing Secure and SameSite cookie attributes can increase the risk of session hijacking or cross-site request forgery attacks, potentially leading to unauthorized access or data exposure.
Such security weaknesses may affect compliance with standards like GDPR and HIPAA, which require appropriate safeguards to protect personal and sensitive data.
How can this vulnerability impact me? :
Because the Secure and SameSite attributes are missing from cookies, this can increase the risk of cookie theft or cross-site request forgery (CSRF) attacks. Attackers may exploit these missing attributes to hijack user sessions or perform unauthorized actions.
Can you explain this vulnerability to me?
The vulnerability in HCL iControl is due to missing critical cookie attributes. Specifically, the application does not set important cookie attributes such as Secure and SameSite, and the cookie path is set to root.