A recently disclosed vulnerability in HCL Software’s DevOps Deploy and Launch platforms has raised security concerns.
Identified as CVE-2024-42195, this vulnerability allows attackers to embed arbitrary HTML tags within the web user interface (UI), potentially leading to sensitive information disclosure.
The flaw, categorized as an HTML injection vulnerability, affects multiple versions of HCL Launch (7.0 through 7.3) and HCL DevOps Deploy (8.0).
The issue arises from inadequate sanitization of user inputs, enabling malicious actors to inject HTML code into the web UI. This could result in unauthorized access to sensitive data displayed on the platform.
The Common Vulnerability Scoring System (CVSS) rates this issue with a base score of 3.1, indicating a low-severity risk.
However, the HCL analysts observed that the potential for sensitive data exposure makes it critical for organizations relying on these tools to address the vulnerability promptly.
Free Webinar on Best Practices for API vulnerability & Penetration Testing: Free Registration
Affected Products and Versions
The following versions are confirmed to be impacted:-
HCL Launch
- Versions 7.0 to 7.0.5.24
- Versions 7.1 to 7.1.2.20
- Versions 7.2 to 7.2.3.13
- Versions 7.3 to 7.3.2.8
HCL DevOps Deploy
HCL Software has released updates to mitigate this vulnerability and strongly advises users to upgrade to the following fixed versions:-
- HCL Launch: Versions 7.0.5.25, 7.1.2.21, 7.2.3.14, or 7.3.2.9
- HCL DevOps Deploy: Version 8.0.1.4 or the latest release, version 8.1.0
At present, no workarounds or mitigations have been identified for this vulnerability apart from applying the recommended updates.
While the CVSS score suggests a low-severity risk, organizations should not underestimate the potential impact of HTML injection vulnerabilities, especially in environments handling sensitive operational data or user credentials.
Security teams are urged to prioritize patching affected systems and review access controls on their HCL DevOps Deploy and Launch platforms to minimize exposure.
This incident underscores the importance of regular software updates and proactive vulnerability management in safeguarding enterprise systems against emerging threats.
Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses