CVE-2025-0272 – HCL DevOps Deploy/Launch is vulnerable to HTML ... (How to Fix)

Q: What is the severity of CVE-2025-0272?

CVE-2025-0272 has a CVSS score of 5.4 (MEDIUM). HCL DevOps Deploy/Launch is vulnerable to HTML injection, allowing authenticated users to embed arbitrary HTML in the web interface. This could lead to information disclosure through crafted pages. Affects organizations using HCL's DevOps deployment tools.

📋 TL;DR

HCL DevOps Deploy/Launch is vulnerable to HTML injection, allowing authenticated users to embed arbitrary HTML in the web interface. This could lead to information disclosure through crafted pages. Affects organizations using HCL's DevOps deployment tools.

💻 Affected Systems

Products:

HCL DevOps Deploy
HCL Launch

Versions: Versions prior to 9.2.3.5 and 9.3.0.4

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the web interface.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could create malicious HTML pages that steal session cookies, credentials, or sensitive deployment data from other users.

🟠

Likely Case

Limited information disclosure through crafted UI elements, potentially exposing internal system details or user data.

🟢

If Mitigated

With proper input validation and output encoding, impact is limited to minor UI disruption without data compromise.

🌐 Internet-Facing: MEDIUM - If exposed to internet, risk increases but still requires authentication.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and knowledge of vulnerable input fields.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.2.3.5 and 9.3.0.4

Vendor Advisory: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0120137

Restart Required: Yes

Instructions:

1. Download patches from HCL Support Portal. 2. Backup current installation. 3. Apply patch according to HCL documentation. 4. Restart application services.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for all user-controlled fields in the web interface

Output Encoding

all

Ensure all user-supplied content is properly HTML-encoded before display

🧯 If You Can't Patch

Restrict web interface access to trusted users only
Implement web application firewall with HTML injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check current version against affected versions (below 9.2.3.5 or 9.3.0.4)

Check Version:

Check version in web interface under Help > About, or consult application logs

Verify Fix Applied:

Verify version is 9.2.3.5 or higher, or 9.3.0.4 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual HTML content in user input fields
Multiple failed HTML injection attempts

Network Indicators:

Suspicious HTML/script content in HTTP POST requests to application endpoints

SIEM Query:

source="hcl-deploy" AND (http_method="POST" AND (content CONTAINS "<script>" OR content CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2025-0272

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-80

EPSS Score: 0.16% exploit probability (36.8th percentile)

Published: April 3, 2025

Last Updated: April 10, 2025

🔗 References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0120137 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-0272, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Hcl Devops Deploy by Hcltechsw

Hcl Devops Deploy by Hcltechsw

Hcl Launch by Hcltechsw

Hcl Launch by Hcltechsw

Hcl Launch by Hcltechsw

Hcl Launch by Hcltechsw

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Validation Enhancement

Output Encoding

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities