CVE-2024-42168

High

Published: 11 January 2025

Published

11 January 2025

Modified

16 May 2025

KEV Added

—

Patch

—

CVSS Score 8.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

EPSS Score 0.0028 51.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

HCL MyXalytics is affected by out-of-band resource load (HTTP) vulnerability. An attacker can deploy a web server that returns malicious content, and then induce the application to retrieve and process that content.

Security Summary

CVE-2024-42168 is an out-of-band resource load vulnerability involving HTTP requests in HCL MyXalytics. The issue allows an attacker to deploy a web server that returns malicious content and then induce the application to retrieve and process that content. It carries a CVSS v3.1 base score of 8.9 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L) and maps to CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) and CWE-918 (Server-Side Request Forgery).

An unauthenticated attacker accessible over the network can exploit this vulnerability, though it requires high attack complexity and no user interaction. By tricking the application into fetching and processing content from the attacker's controlled server, the attacker can achieve high impacts on confidentiality and integrity, with a low impact on availability, due to the cross-scope execution.

The HCL Software support knowledge base article at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149 provides details on advisories and mitigation steps for this vulnerability.

Details

CWE(s): CWE-610CWE-918

Affected Products

hcltech

dryice myxalytics

6.3

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149
Vendor Advisory · psirt@hcl.com