CVE-2025-52608

3.1 LOW

HCL iControl was affected by Missing Cookie Attributes vulnerability

Published: 2026-06-04 · Last updated: 2026-06-04

Severity and scoring

CVSS: 3.1 LOW
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-614

Affected products

Vendor	Product
hcltech	icontrol

Description

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-52608
[Vendor advisory]https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0131061

Related CVEs

Same vendor

CVE-2026-21837 — HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API (8.8 HIGH)
CVE-2026-21826 — HCL Digital Experience and HCL Digital Experience Compose could be susceptible to Host header injection (6.1 MEDIUM)
CVE-2026-21825 — HCL Digital Experience Compose is affected by a reflected cross-site scripting (XSS) vulnerability in the search center (6.1 MEDIUM)
CVE-2025-52612 — HCL iControl was affected by Export CSV - CSV Injection vulnerability (7.1 HIGH)
CVE-2025-52611 — HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability (3.1 LOW)

Same CWE

CVE-2026-46398 — HAX CMS helps manage microsite universe with PHP or NodeJs backends
CVE-2026-41017 — Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server ... (5.9 MEDIUM)
CVE-2026-43828 — Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute (6.5 MEDIUM)