A newly discovered vulnerability in HCL Software’s DevOps Deploy and Launch platforms, CVE-2024-42195, allows attackers to insert arbitrary HTML tags into the web UI, which could expose sensitive information.
CVE-2024-42195
The HTML injection flaw affects HCL Launch (7.0-7.3) and HCL DevOps Deploy (8.0) due to insufficient input sanitization.
This vulnerability allows attackers to inject malicious HTML code into the web UI, which could lead to unauthorized access to sensitive data, including user information and platform configurations, displayed on the platform.
The vulnerability has a CVSS score of 3.1, indicating low severity. However, HCL analysts note that the risk of exposing sensitive data makes it important for organizations to fix the issue quickly.
Affected Products and Versions
The following versions are impacted:
- HCL Launch
- 7.0 to 7.0.5.24
- 7.1 to 7.1.2.20
- 7.2 to 7.2.3.13
- 7.3 to 7.3.2.8
- HCL DevOps Deploy
- 8.0 to 8.0.1.3
HCL Software has released fixes for this vulnerability. Users are advised to update to the following versions:
- HCL Launch
- 7.0.5.25, 7.1.2.21, 7.2.3.14, or 7.3.2.9
- HCL DevOps Deploy
- 8.0.1.4 or the latest 8.1.0
Currently, no workarounds or mitigations are available for this vulnerability, except for applying the recommended updates.
Although the CVSS score indicates low severity, organizations should not overlook the potential impact of HTML injection, especially in environments dealing with sensitive data or credentials.
Security teams should prioritize patching affected systems and reviewing access controls on HCL DevOps Deploy and Launch platforms to reduce exposure.
This highlights the need for regular software updates and proactive vulnerability management to protect enterprise systems from emerging threats.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment