CVE-2025-52612
Analyzed Analyzed - Analysis Complete

CSV Injection in HCL iControl

Vulnerability report for CVE-2025-52612, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-04

Last updated on: 2026-06-04

Assigner: HCL Software

Description

HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. .

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-04
Last Modified
2026-06-04
Generated
2026-07-15
AI Q&A
2026-06-04
EPSS Evaluated
2026-07-13
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
hcltech icontrol 4.0.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1236 The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in HCL iControl involves CSV Injection and reflected cross-site scripting due to insufficient input sanitation, which can lead to unauthorized data manipulation or disclosure.

Such vulnerabilities can impact compliance with standards like GDPR and HIPAA by potentially exposing sensitive personal or health information, violating requirements for data protection and integrity.

Organizations using affected versions of HCL iControl should assess the risk of data breaches or unauthorized access resulting from this vulnerability to ensure continued compliance.

Executive Summary

The vulnerability in HCL iControl involves an Export CSV - CSV Injection issue and a reflected cross-site scripting (XSS) vulnerability. It occurs due to insufficient sanitation of input parameters, allowing malicious input to be executed.

Impact Analysis

This vulnerability can lead to high impact on confidentiality, integrity, and availability, as indicated by the CVSS score. An attacker could exploit the reflected XSS to execute malicious scripts in the context of a user's browser, potentially stealing sensitive information or performing unauthorized actions. The CSV Injection could allow malicious code execution when exported CSV files are opened.

Mitigation Strategies

The vulnerability in HCL iControl is caused by insufficient sanitation of input parameters leading to CSV Injection and reflected cross-site scripting issues.

To mitigate this vulnerability, it is recommended to follow the guidance and apply any patches or updates provided by HCL as detailed in their security bulletin.

Review and restrict user input handling to ensure proper sanitization and validation to prevent injection attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-52612. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart