{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62320", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "state": "PUBLISHED", "assignerShortName": "HCL", "dateReserved": "2025-10-10T09:04:19.898Z", "datePublished": "2026-03-17T12:02:08.881Z", "dateUpdated": "2026-03-17T12:56:51.604Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-03-17T12:02:08.881Z"}, "title": "HTML Injection Leading to Data Exfiltration to External Server vulnerability affects HCL Unica Platform", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')", "type": "CWE"}]}], "affected": [{"vendor": "HCL", "product": "Sametime", "versions": [{"status": "affected", "version": "version 25.1.1 and below."}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the user\u2019s browser.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the user\u2019s browser."}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129460"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 4.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T12:56:45.655304Z", "id": "CVE-2025-62320", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T12:56:51.604Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62320", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T12:56:45.655304Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T12:56:48.535Z"}}], "cna": {"title": "HTML Injection Leading to Data Exfiltration to External Server vulnerability affects HCL Unica Platform", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HCL", "product": "Sametime", "versions": [{"status": "affected", "version": "version 25.1.1 and below."}], "defaultStatus": "unaffected"}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129460"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the user\u2019s browser.", "supportingMedia": [{"type": "text/html", "value": "HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the user\u2019s browser.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')"}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-03-17T12:02:08.881Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62320", "state": "PUBLISHED", "dateUpdated": "2026-03-17T12:56:51.604Z", "dateReserved": "2025-10-10T09:04:19.898Z", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "datePublished": "2026-03-17T12:02:08.881Z", "assignerShortName": "HCL"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hcltech:unica:*:*:*:*:*:*:*:*", "matchCriteriaId": "305B2D5D-64DB-40FC-9188-CCF3EA5764F1", "versionEndExcluding": "12.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica:*:*:*:*:*:*:*:*", "matchCriteriaId": "10B800BE-C835-4E99-A05F-FF5B0C8556F3", "versionEndExcluding": "25.1.1.0.1", "versionStartIncluding": "25.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_audience_central:*:*:*:*:*:*:*:*", "matchCriteriaId": "C3B128F6-5258-4CD7-9B8B-2EA82575046B", "versionEndExcluding": "12.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_audience_central:*:*:*:*:*:*:*:*", "matchCriteriaId": "56033CC8-1562-481D-9781-68605E639D33", "versionEndExcluding": "25.1.1.0.1", "versionStartIncluding": "25.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_campaign:*:*:*:*:*:*:*:*", "matchCriteriaId": "DBD704E0-EC17-40EF-B125-A3F7B2265C87", "versionEndExcluding": "12.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_campaign:*:*:*:*:*:*:*:*", "matchCriteriaId": "21A943C9-F93D-4385-9FA2-D7970FDF2CF5", "versionEndExcluding": "25.1.1.0.1", "versionStartIncluding": "25.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_centralised_offer_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "62BA1D1F-E3A6-4F78-98C8-C5BF4C28BB45", "versionEndExcluding": "12.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_centralised_offer_management:*:*:*:*:*:*:*:*", "matchCriteriaId": "122EAB2F-BB96-4954-93F9-82FB61D27A5D", "versionEndExcluding": "25.1.1.0.1", "versionStartIncluding": "25.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_contact_central:*:*:*:*:*:*:*:*", "matchCriteriaId": "7CB92F37-C4B6-403B-A150-C9BCB094CD41", "versionEndExcluding": "12.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_contact_central:*:*:*:*:*:*:*:*", "matchCriteriaId": "A55CF519-0F7B-469D-96FE-D29DEDC35C9C", "versionEndExcluding": "25.1.1.0.1", "versionStartIncluding": "25.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_interact:*:*:*:*:*:*:*:*", "matchCriteriaId": "23118E78-677A-4E04-ABAA-7A301B45FFB1", "versionEndExcluding": "12.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_interact:*:*:*:*:*:*:*:*", "matchCriteriaId": "73B4E36F-D53D-4E3C-92DA-97151A2BCEDF", "versionEndExcluding": "25.1.1.0.1", "versionStartIncluding": "25.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_journey:*:*:*:*:*:*:*:*", "matchCriteriaId": "A7802A1C-BE9A-45BB-81EE-C1836BB6933C", "versionEndExcluding": "12.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_journey:*:*:*:*:*:*:*:*", "matchCriteriaId": "206F9793-8910-45B1-8249-B3F04B326AB2", "versionEndExcluding": "25.1.1.0.1", "versionStartIncluding": "25.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_plan:*:*:*:*:*:*:*:*", "matchCriteriaId": "7D193791-017A-4E65-A183-4780E3DE37AE", "versionEndExcluding": "12.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_plan:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EDC3A16-B40C-44D0-BEDB-8EBEE9671B58", "versionEndExcluding": "25.1.1.0.1", "versionStartIncluding": "25.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_segment_central:*:*:*:*:*:*:*:*", "matchCriteriaId": "13A74D83-78CC-495E-AC56-90C472725477", "versionEndExcluding": "12.1.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:hcltech:unica_segment_central:*:*:*:*:*:*:*:*", "matchCriteriaId": "5C9D635D-AB51-43CF-B5C5-6E013191A637", "versionEndExcluding": "25.1.1.0.1", "versionStartIncluding": "25.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "HTML Injection can be carried out in Product when a web application does not properly check or clean user input before showing it on a webpage. Because of this, an attacker may insert unwanted HTML code into the page. When the browser loads the page, it may automatically interact with external resources included in that HTML, which can cause unexpected requests from the user\u2019s browser."}, {"lang": "es", "value": "La Inyecci\u00f3n HTML puede llevarse a cabo en el Producto cuando una aplicaci\u00f3n web no verifica o limpia adecuadamente la entrada del usuario antes de mostrarla en una p\u00e1gina web. Debido a esto, un atacante puede insertar c\u00f3digo HTML no deseado en la p\u00e1gina. Cuando el navegador carga la p\u00e1gina, puede interactuar autom\u00e1ticamente con recursos externos incluidos en ese HTML, lo que puede causar solicitudes inesperadas desde el navegador del usuario."}], "id": "CVE-2025-62320", "lastModified": "2026-05-11T14:18:40.947", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@hcl.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-17T13:16:16.503", "references": [{"source": "psirt@hcl.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0129460"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@hcl.com", "type": "Secondary"}]}

{}