PatchSiren cyber security CVE debrief
CVE-2025-62320 Hcltech CVE debrief
CVE-2025-62320 is a medium-severity HTML injection issue affecting multiple HCL Unica products. The vulnerable behavior can allow attacker-controlled HTML to be displayed in a web page when input is not properly sanitized before rendering. Because the browser may process injected markup, the impact can include unexpected browser-originated requests to external resources. The NVD record shows the issue was published on 2026-03-17 and last modified on 2026-05-11; no CISA KEV listing is provided in the supplied corpus.
- Vendor
- Hcltech
- Product
- CVE-2025-62320
- CVSS
- MEDIUM 4.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-17
- Original CVE updated
- 2026-05-11
- Advisory published
- 2026-03-17
- Advisory updated
- 2026-05-11
Who should care
Teams that administer or develop against HCL Unica deployments should care first, especially owners of Unica web interfaces and any workflow that renders user-controlled content. Security teams should prioritize review of exposed web pages, input handling, and output encoding in the affected components.
Technical summary
NVD classifies the weakness as CWE-79 and assigns CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N, indicating network reachability, no privileges required, but user interaction is needed. The affected CPE scope in the supplied record includes HCL Unica, Unica Audience Central, Campaign, Centralised Offer Management, Contact Central, Interact, Journey, Plan, and Segment Central. NVD marks versions earlier than 12.1.11 as vulnerable for several product lines, and versions from 25.1.0 up to but not including 25.1.1.0.1 as vulnerable for the 25.1 branch.
Defensive priority
Medium. This is not a known-exploited item in the supplied corpus, but it is internet-reachable, requires no authentication, and can expose users to injected browser content. Prioritize it if the affected components are exposed to untrusted input or used by many users.
Recommended defensive actions
- Inventory HCL Unica components and compare installed versions with the NVD vulnerable ranges in this record.
- Apply the HCL vendor guidance referenced by NVD (KB0129460) and move affected installations to the fixed versions indicated by the advisory and NVD version boundaries.
- Review all pages that render user-supplied or workflow-supplied content and ensure HTML encoding/escaping is applied before output.
- If rich text is intentionally supported, restrict allowed tags and attributes with server-side allowlisting rather than passing raw HTML through.
- Validate that external-resource loading is not possible from fields that should only contain plain text.
- Monitor browser-facing application endpoints for unusual outbound requests or page content that indicates unsanitized HTML is being reflected.
- Re-test any customizations, templates, or plugins after patching to confirm content rendering is safely encoded.
Evidence notes
All claims are limited to the supplied NVD record and its referenced HCL advisory. The CVE description identifies HTML injection; the NVD metadata lists CWE-79 and the affected HCL Unica product families and version ranges. The supplied timeline fields place publication on 2026-03-17 and modification on 2026-05-11, which are used here as the CVE dates. No exploit details, weaponized reproduction steps, or unsupported impact claims are included.
Official resources
-
CVE-2025-62320 CVE record
CVE.org
-
CVE-2025-62320 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch, Vendor Advisory
Publicly disclosed in the CVE/NVD record on 2026-03-17 and updated on 2026-05-11. The supplied corpus references HCL advisory KB0129460 as the vendor remediation source. No KEV entry is provided.