CVE-2023-50344 in DRYiCE MyXalyticsinfo

Summary

by MITRE • 01/03/2024

HCL DRYiCE MyXalytics is impacted by improper access control (Unauthenticated File Download) vulnerability. An unauthenticated user can download certain files.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 06/18/2025

The vulnerability identified as CVE-2023-50344 affects HCL DRYiCE MyXalytics, a business intelligence and analytics platform that enables organizations to analyze and visualize data from various sources. This particular flaw represents a critical access control weakness that undermines the security posture of the system by allowing unauthorized users to bypass authentication mechanisms and access restricted content. The vulnerability exists within the file download functionality of the application, creating a pathway for malicious actors to obtain sensitive information without proper authorization.

This improper access control vulnerability manifests as an unauthenticated file download capability that enables attackers to directly access files that should be protected by authentication mechanisms. The technical flaw lies in the application's failure to properly validate user credentials or session tokens before permitting file retrieval operations. According to CWE-285, this vulnerability maps to improper authorization issues where the system does not adequately verify that the requesting entity has the necessary privileges to access the requested resource. The flaw essentially removes the authentication barrier that should normally prevent unauthorized access to sensitive data files within the MyXalytics environment.

The operational impact of this vulnerability is substantial as it exposes organizations using HCL DRYiCE MyXalytics to potential data breaches and information disclosure risks. Attackers can exploit this weakness to download configuration files, database dumps, user credentials, or other sensitive data that may contain proprietary business information, customer data, or system artifacts. The vulnerability can be particularly dangerous in enterprise environments where MyXalytics may be processing confidential business intelligence, financial data, or personally identifiable information. This unauthenticated access could lead to compliance violations under regulations such as gdpr, hipaa, or pci dss, depending on the nature of the data being processed.

Mitigation strategies for this vulnerability should focus on implementing robust authentication controls and access validation mechanisms throughout the application. Organizations should immediately apply vendor patches or updates if available, and in the absence of official fixes, implement temporary workarounds such as restricting file download functionality or implementing additional access controls at the network level. The remediation should include enforcing proper authentication checks before any file download operations, implementing role-based access controls, and conducting thorough security reviews of all file access points. Security teams should also consider implementing network segmentation, monitoring for unauthorized file access attempts, and conducting regular vulnerability assessments to identify similar access control weaknesses within the broader application ecosystem. This vulnerability demonstrates the critical importance of maintaining proper authorization controls as outlined in the mitre ATT&CK framework's privilege escalation and credential access techniques.

Responsible

HCL Software

Reservation

12/07/2023

Disclosure

01/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00278

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!