CVE-2024-42180

Low

Published: 12 January 2025

Published

12 January 2025

Modified

16 May 2025

KEV Added

—

Patch

—

CVSS Score 1.6 CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS Score 0.0017 38.1th percentile

Risk Priority 3 60% EPSS · 20% KEV · 20% CVSS

Description

HCL MyXalytics is affected by a malicious file upload vulnerability. The application accepts invalid file uploads, including incorrect content types, double extensions, null bytes, and special characters, allowing attackers to upload and execute malicious files.

Security Summary

CVE-2024-42180 is a malicious file upload vulnerability in HCL MyXalytics. The application accepts invalid file uploads, including those with incorrect content types, double extensions, null bytes, and special characters. This flaw enables attackers to upload and execute malicious files, corresponding to CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability has a low CVSS v3.1 base score of 1.6.

Exploitation requires physical access (AV:P), high attack complexity (AC:H), high privileges (PR:H), and user interaction (UI:R), with no impact on confidentiality or availability and only low integrity impact (I:L). Attackers with these prerequisites, such as privileged insiders with physical proximity, can trick users into processing malicious uploads, potentially leading to unauthorized file execution and limited integrity compromise within the unchanged scope (S:U).

HCL has published a knowledge base article addressing the vulnerability: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149.

Details

CWE(s): CWE-434

Affected Products

hcltech

dryice myxalytics

6.3

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149
Vendor Advisory · psirt@hcl.com