HCL DevOps Deploy & Launch Exposes Systems to HTML Injection Attacks

A vulnerability has been discovered in HCL Software’s DevOps Deploy and Launch platforms, identified as CVE-2024-42195. The flaw, categorized as an HTML injection vulnerability, allows attackers to embed arbitrary HTML tags in the web user interface, potentially leading to sensitive information disclosure. The issue affects multiple versions of HCL Launch (7.0-7.3) and HCL DevOps Deploy (8.0) due to inadequate sanitization of user inputs. While the Common Vulnerability Scoring System (CVSS) rates this issue as low-severity (base score 3.1), HCL analysts consider it critical to address the vulnerability promptly due to the potential for sensitive data exposure. HCL has released updates to mitigate the vulnerability, and users are advised to upgrade to fixed versions (HCL Launch: 7.0.5.25, 7.1.2.21, etc., HCL DevOps Deploy: 8.0.1.4 or 8.1.0). No workarounds or mitigations have been identified apart from applying the recommended updates.