{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62328", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "state": "PUBLISHED", "assignerShortName": "HCL", "dateReserved": "2025-10-10T09:04:23.570Z", "datePublished": "2026-03-11T22:04:11.199Z", "dateUpdated": "2026-03-12T17:43:19.489Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Nomad server on Domino", "vendor": "HCLSoftware", "versions": [{"status": "affected", "version": "<1.0.19"}]}], "datePublic": "2026-03-11T22:03:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors."}], "value": "HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1021", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-03-11T22:04:11.199Z"}, "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127331"}], "source": {"discovery": "UNKNOWN"}, "title": "HCL Nomad server on Domino is affected by a missing default frame-ancestors directive", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T17:43:09.622631Z", "id": "CVE-2025-62328", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:43:19.489Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62328", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T17:43:09.622631Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:43:15.392Z"}}], "cna": {"title": "HCL Nomad server on Domino is affected by a missing default frame-ancestors directive", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "HCLSoftware", "product": "Nomad server on Domino", "versions": [{"status": "affected", "version": "<1.0.19"}], "defaultStatus": "unaffected"}], "datePublic": "2026-03-11T22:03:00.000Z", "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127331"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors.", "supportingMedia": [{"type": "text/html", "value": "HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1021", "description": "CWE-1021 Improper Restriction of Rendered UI Layers or Frames"}]}], "providerMetadata": {"orgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "shortName": "HCL", "dateUpdated": "2026-03-11T22:04:11.199Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62328", "state": "PUBLISHED", "dateUpdated": "2026-03-12T17:43:19.489Z", "dateReserved": "2025-10-10T09:04:23.570Z", "assignerOrgId": "1e47fe04-f25f-42fa-b674-36de2c5e3cfc", "datePublished": "2026-03-11T22:04:11.199Z", "assignerShortName": "HCL"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "HCL Nomad server on Domino did not configure the frame-ancestors directive in the Content-Security-Policy header by default which could allow an attacker to obtain sensitive information via unspecified vectors."}], "id": "CVE-2025-62328", "lastModified": "2026-03-12T21:08:22.643", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "psirt@hcl.com", "type": "Secondary"}]}, "published": "2026-03-11T22:16:19.933", "references": [{"source": "psirt@hcl.com", "url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127331"}], "sourceIdentifier": "psirt@hcl.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1021"}], "source": "psirt@hcl.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.19)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "Nomad server on Domino", "source": "cna", "vendor": "HCLSoftware"}, "product": "nomad_server_on_domino", "vendor": "hcltech"}], "analysis": {"en": {"generated_at": "2026-03-17T14:36:40.154299+00:00", "value": {"mitigation_remediation": ["Check HCL software website or support portal for a patch or update that adds the missing frame\u2011ancestors directive to the CSP header.", "If a vendor fix is unavailable, manually add a frame\u2011ancestors policy to the web server\u2019s CSP header, such as: frame-ancestors 'none'; or restrict to trusted domains.", "Consider implementing additional defenses like the X\u2011Frame\u2011Options header or disabling framing at the application level.", "Monitor for future advisories and update the server accordingly."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure via Unrestricted framing"}, "threat_synthesis": {"affected_systems": "The affected product is HCLSoftware\u2019s Nomad server on Domino. No specific product version is listed in the CNA data, so the issue may apply to all releases of this product until a fix is issued.", "description_and_impact": "The vulnerability arises from HCL Nomad server on Domino not configuring a default frame-ancestors directive in its Content\u2011Security\u2011Policy header. This omission allows an attacker to embed the server\u2019s web pages in a frame or iframe on a malicious site, potentially leading to sensitive information exposure or other unspecified attack vectors. The weakness is identified as a missing security policy header, consistent with CWE\u20111021 (Missing Expected Control Path).", "risk_and_exploitability": "The CVSS score of 3.7 indicates a low severity. The EPSS score is below 1%, and the vulnerability is not listed in the CISA KEV catalog, suggesting a low likelihood of widespread exploitation. An attacker would need to serve a malicious page that frames the Nomad server, leveraging the missing frame\u2011ancestors directive. Given the low severity and exploit probability, the risk is moderate but mitigable."}}}}, "created": "2026-03-12T09:55:21.958102+00:00", "updated": "2026-03-20T15:36:46.321092+00:00", "vendors": ["hcltech", "hcltech$PRODUCT$nomad_server_on_domino"]}