CVE-2024-42180

Low

Published: 12 January 2025

Published

12 January 2025

Modified

16 May 2025

KEV Added

—

Patch

—

CVSS Score 1.6 CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N

EPSS Score 0.0017 38.0th percentile

Risk Priority 3 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-42180 is a low-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Hcltech Dryice Myxalytics. Its CVSS base score is 1.6 (Low).

Operationally, ranked at the 38.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly enforces validation of file uploads to reject invalid content types, double extensions, null bytes, and special characters, preventing unrestricted upload of dangerous files.

SI-3 Malicious Code Protection good match

preventdetect

SI-3 deploys malicious code protection at entry points to scan and eradicate malicious files before execution, mitigating the risk of uploaded dangerous files.

SI-9 Information Input Restrictions partial match

prevent

SI-9 restricts information inputs at boundaries to only permitted file types and handles invalid inputs, addressing aspects of unrestricted uploads.

NVD Description

HCL MyXalytics is affected by a malicious file upload vulnerability. The application accepts invalid file uploads, including incorrect content types, double extensions, null bytes, and special characters, allowing attackers to upload and execute malicious files.

Deeper analysisAI

CVE-2024-42180 is a malicious file upload vulnerability in HCL MyXalytics. The application accepts invalid file uploads, including those with incorrect content types, double extensions, null bytes, and special characters. This flaw enables attackers to upload and execute malicious files, corresponding to CWE-434 (Unrestricted Upload of File with Dangerous Type). The vulnerability has a low CVSS v3.1 base score of 1.6.

Exploitation requires physical access (AV:P), high attack complexity (AC:H), high privileges (PR:H), and user interaction (UI:R), with no impact on confidentiality or availability and only low integrity impact (I:L). Attackers with these prerequisites, such as privileged insiders with physical proximity, can trick users into processing malicious uploads, potentially leading to unauthorized file execution and limited integrity compromise within the unchanged scope (S:U).

HCL has published a knowledge base article addressing the vulnerability: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149.

Details

CWE(s): CWE-434

Affected Products

hcltech

dryice myxalytics

6.3

CVEs Like This One

CVE-2024-42176Same product: Hcltech Dryice Myxalytics

CVE-2024-42175Same product: Hcltech Dryice Myxalytics

CVE-2024-42172Same product: Hcltech Dryice Myxalytics

CVE-2024-42169Same product: Hcltech Dryice Myxalytics

CVE-2024-42168Same product: Hcltech Dryice Myxalytics

CVE-2024-42181Same product: Hcltech Dryice Myxalytics

CVE-2025-55267Same vendor: Hcltech

CVE-2025-55251Same vendor: Hcltech

CVE-2025-52631Same vendor: Hcltech

CVE-2025-52626Same vendor: Hcltech

References

https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0118149
Vendor Advisory · psirt@hcl.com