CSV Injection and XSS in HCL iControl Export Function

HCL iControl contains a critical vulnerability in its CSV export functionality that combines CSV injection with reflected cross-site scripting (XSS). The flaw stems from insufficient input sanitization, allowing attackers to inject malicious payloads through export parameters that execute in users' browsers or spreadsheet applications. This vulnerability affects organizations using HCL iControl for system management and monitoring, putting administrative users at particular risk since they frequently handle exported data. With a CVSS score of 7.1, this represents a high-severity threat that could enable session hijacking, credential theft, or further network compromise through trusted administrative interfaces.

Casky.ai's security skills framework would identify this attack pattern through detection of T1059.003 (Command and Scripting Interpreter: Windows Command Shell) and related input validation weaknesses mapped to CWE-1236. When analyzing HCL iControl traffic and CSV export requests, practitioners using Casky's Claude-powered reasoning would receive findings highlighting: (1) suspicious special characters or formula prefixes (=, +, -, @) in export parameters that bypass validation, (2) script tags or event handlers in CSV field values that execute upon opening in browsers, (3) reflected parameters echoed back in HTTP responses without encoding, and (4) missing Content Security Policy headers that would otherwise mitigate XSS execution. Extended reasoning analysis would help practitioners distinguish legitimate data from weaponized payloads and trace the injection point through the export workflow.