CVE-2025-63401
📋 TL;DR
A Cross-Site Scripting (XSS) vulnerability in HCLTech DRAGON allows remote attackers to inject malicious scripts into web pages viewed by other users. This affects all HCLTech DRAGON installations before version 7.6.0. Attackers can potentially steal session cookies, redirect users, or perform actions on their behalf.
💻 Affected Systems
- HCLTech DRAGON
📦 What is this software?
Dragon by Hcltech
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator credentials, takes full control of the DRAGON system, and uses it as a foothold to attack internal networks.
Likely Case
Attacker steals user session cookies to impersonate legitimate users, accesses sensitive data, or performs unauthorized actions within the application.
If Mitigated
Script execution is blocked by Content Security Policy or input validation, limiting impact to minor UI disruption.
🎯 Exploit Status
XSS vulnerabilities typically require user interaction (clicking a malicious link) but are easy to exploit once the injection point is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.6.0
Vendor Advisory: https://excalibur-hcl.my.salesforce.com/sfc/p/#U0000000YO14/a/Pf000003dyQn/x0oUOgfHG6F0wUhpmSMcmXMuwO2GYuSf_duzWPRebao
Restart Required: Yes
Instructions:
1. Download HCLTech DRAGON version 7.6.0 from official vendor sources. 2. Backup current installation and data. 3. Apply the update following HCL's upgrade documentation. 4. Restart all DRAGON services. 5. Verify functionality post-update.
🔧 Temporary Workarounds
Implement Content Security Policy
allAdd CSP headers to block inline script execution and restrict script sources.
Add 'Content-Security-Policy: script-src 'self'' to web server configuration
Input Validation Filter
allDeploy WAF or application filter to sanitize user input containing script tags.
Configure WAF rules to block <script>, javascript:, and on* attributes
🧯 If You Can't Patch
- Isolate DRAGON application behind reverse proxy with strict input validation
- Implement network segmentation to limit DRAGON access to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check DRAGON version via admin interface or configuration files. If version is below 7.6.0, system is vulnerable.Check Version:
Check web interface footer or consult DRAGON administration documentation for version check procedureVerify Fix Applied:
Confirm version is 7.6.0 or higher and test XSS payloads are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual long parameter values in web logs
- Requests containing script tags or javascript: URIs
- Multiple failed login attempts from same session
Network Indicators:
- Outbound connections to unknown domains following DRAGON access
- Unusual traffic patterns to DRAGON web endpoints
SIEM Query:
web.url CONTAINS "<script>" OR web.url CONTAINS "javascript:" AND dest.app="HCL DRAGON"