CVE-2023-50343 in DRYiCE MyXalytics
Summary
by MITRE • 01/03/2024
HCL DRYiCE MyXalytics is impacted by an Improper Access Control (Controller APIs) vulnerability. Certain API endpoints are accessible to Customer Admin Users that can allow access to sensitive information about other users.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/18/2025
The vulnerability identified as CVE-2023-50343 affects HCL DRYiCE MyXalytics, a business intelligence and analytics platform that enables organizations to collect, analyze, and visualize data from various sources. This particular flaw represents a critical improper access control weakness that undermines the fundamental security principles of least privilege and principle of least privilege enforcement. The vulnerability manifests within the controller APIs of the platform, where specific endpoints have been configured with insufficient authorization checks, allowing unauthorized access to sensitive user data. This issue specifically impacts customer admin users who possess elevated privileges within the system but should not have the ability to access information belonging to other users within the same organization.
The technical implementation of this vulnerability stems from inadequate input validation and access control mechanisms within the API endpoint controllers. When customer admin users make requests to certain API endpoints, the system fails to properly verify whether the requesting user has legitimate authorization to access the target user's data. This misconfiguration creates a path for privilege escalation where administrative users can potentially enumerate and retrieve personal identifiable information, user profiles, and other sensitive data belonging to other users within the same tenant. The flaw exists at the application layer where the authorization logic does not adequately distinguish between administrative functions and user data access, leading to a scenario where user-level access controls are bypassed through administrative privileges.
The operational impact of this vulnerability extends beyond simple data exposure, as it creates potential pathways for data breaches, privacy violations, and compliance violations. Organizations using HCL DRYiCE MyXalytics may face significant security risks including unauthorized data access, potential identity theft, and violation of data protection regulations such as gdpr, ccpa, and other privacy frameworks. The vulnerability allows for systematic enumeration of user data, which could enable attackers to build comprehensive user profiles, identify organizational structures, and potentially facilitate further attacks such as social engineering or targeted phishing campaigns. Additionally, the exposure of user information could lead to reputational damage and regulatory penalties for organizations that fail to maintain proper data protection controls.
Mitigation strategies for CVE-2023-50343 should focus on implementing robust access control mechanisms and proper authorization checks within the API endpoints. Organizations should immediately review and enforce proper role-based access control (rbac) configurations to ensure that customer admin users cannot access other users' data without explicit authorization. The implementation of principle of least privilege should be strictly enforced where administrative users are granted only the minimum permissions necessary to perform their duties. Security patches or code modifications should address the controller API endpoints by adding proper user context validation and authorization checks before data access is granted. Organizations should also implement comprehensive logging and monitoring of api access patterns to detect anomalous behavior that may indicate exploitation attempts. This vulnerability aligns with CWE-284 which describes improper access control, and could be categorized under ATT&CK technique T1078 for valid accounts and T1566 for credential access, highlighting the importance of proper access control enforcement in preventing unauthorized data access.