HCL Unica Platform Security Header Misconfiguration Vulnerability

A vulnerability exists in HCL Unica Platform versions through 25.1 due to misconfigured security-related HTTP headers. This misconfiguration can result in browsers applying less secure default behaviors for the policies governed by these headers, potentially leading to increased susceptibility to various web-based attacks.

Impact

The misconfiguration can cause browsers to treat certain security policies less stringently, which may expose the application to various web vulnerabilities, such as cross-site scripting or clickjacking.

Remediation

To address this vulnerability, it is recommended to add the appropriate security headers in the Nginx or web server configuration file. For Apache or IBM HTTP Server, this would be the httpd.conf file. Suggested headers include Strict-Transport-Security, Set-Cookie with HttpOnly and Secure flags, and a comprehensive Content-Security-Policy that specifies allowed sources for scripts, images, styles, fonts, and frames, among other directives.