Hcl Bigfix

HCL BigFix Cloud LC Mgt: Input Validation Flaw Enables Info Exposure
CVE-2025-62338 3.3 - Low - June 04, 2026

HCL BigFix Cloud Lifecycle Management is affected by lack of input validation.  This low-level flaw allows unauthorized access and may lead to information exposure.

HCL BigFix SM X-Content-Type-Options Header Misconfig - Browser MIME Sniffing
CVE-2025-31985 3.7 - Low - May 20, 2026

HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure X-Content-Type-Options header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.

Information Disclosure

Insecure Base Image Use in HCL BigFix Service Management
CVE-2025-31973 4 - Medium - May 20, 2026

HCL BigFix Service Management (SM) is susceptible to a Configuration 'Insecure Use of Base Image Version'. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment.

1395

Broken Access Control in HCL BigFix SM (SX) Enables Privilege Escalation
CVE-2024-30151 8.3 - High - May 06, 2026

HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or unauthorized system modifications

Insertion of Sensitive Information into Log File

Info Exposure via Unhandled Exception in HCL BigFix SM Reporting
CVE-2025-31960 5.3 - Medium - May 06, 2026

HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception.

Generation of Error Message Containing Sensitive Information

HCL BigFix SM Root FS Read-Only Misconfig allows critical changes
CVE-2025-31974 3.9 - Low - May 06, 2026

HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized changes.

Insecure Default Initialization of Resource

HCL BigFix SM InfoDisclosure: Server Banner Leak Reveals Versions
CVE-2025-31975 2.6 - Low - May 06, 2026

HCL BigFix Service Management (SM) is affected by an Information Disclosure Server Banner issue was identified. Exposed server banners may reveal software versions and system details, potentially aiding attackers in targeting known vulnerabilities.

Information Disclosure

HCL BigFix SM WSGI Server Vulnerability Enables Unauthorized Access
CVE-2025-52613 4.6 - Medium - May 06, 2026

HCL BigFix Service Management (SM) is affected by use of a vulnerable WSGI Server was identified. Deploying an outdated or insecure WSGI server may expose the application to known security weaknesses, potentially increasing the risk of exploitation and unauthorized access.

Information Disclosure

Insufficiently Protected Credentials in HCL BigFix SM
CVE-2025-31976 4.8 - Medium - May 06, 2026

HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. .

Information Disclosure

HCL BigFix SM CSV/XLS/XLSX Sanitization Bypass (CVE-2025-31978)
CVE-2025-31978 4.6 - Medium - May 06, 2026

HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content.

Insertion of Sensitive Information Into Sent Data

HCL BigFix SM Exif Metadata Exposure Vulnerability
CVE-2025-31959 3.5 - Low - May 06, 2026

HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. .

Exposure of Sensitive Information Through Metadata

Unlinked Directory Access Enables Information Disclosure in HCL BigFix SM
CVE-2025-31982 3.7 - Low - May 06, 2026

HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality.

Information Disclosure

BigFix SM MIME-Type Sniffing via Missing X-Content-Type-Options Header
CVE-2025-31984 3.7 - Low - May 06, 2026

HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure X-Content-Type-Options header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.

Information Disclosure

HCL BigFix SM CSP Header XSS Vulnerability
CVE-2025-31983 3.7 - Low - May 06, 2026

HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information.

Improperly Implemented Security Check for Standard

HCL BigFix SM CSRF Enables Unauthorized Changes
CVE-2025-31957 2.6 - Low - May 06, 2026

HHCL BigFix Service Management (SM) is affected by a CrossSite Request Forgery (CSRF) vulnerability. This could lead to unauthorized changes or exposure of sensitive data.

Session Riding

HCL BigFix RunBookAI Input Handling Vulnerability (CVE-2025-62345)
CVE-2025-62345 2.7 - Low - May 06, 2026

HCL BigFix RunBookAI is affected by a Continued availability of Less-Secure Input Text Vulnerability . A component contains a security weakness in its input handling implementation, increasing the risk of misconfiguration and operational errors.

Insufficiently Protected Credentials

HCL BigFix RunBookAI Command Smuggling via Unvalidated Input
CVE-2025-31951 8.8 - High - May 06, 2026

HCL BigFix RunBookAI is affected by a Unvalidated Command Input / Potential Command Smuggling vulnerability. A flaw in a component's input handling was identified that could permit unauthorized command execution.

Command Injection

HCL BigFix Remote Control Lite Web Portal 10.1.0.0326: Path-Relative Stylesheet Import XSS
CVE-2025-55254 3.7 - Low - December 17, 2025

Improper management of Path-relative stylesheet import in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow to execute malicious code in certain web pages.

Open Redirect

CVE-2025-59849 HCL BigFix Remote Control Web Portal 10.1.0.0326 Improper CSP
CVE-2025-59849 4.7 - Medium - December 17, 2025

Improper management of Content Security Policy in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow the execution of malicious code in web pages.

Clickjacking

Missing Security Headers in BigFix SaaS HTTP Responses
CVE-2025-52622 5.4 - Medium - December 02, 2025

The BigFix SaaS's HTTP responses were missing some security headers. The absence of these headers weakens the application's client-side security posture, making it more vulnerable to common web attacks that these headers are designed to mitigate, such as Cross-Site Scripting (XSS), Clickjacking, and protocol downgrade attacks.

Insecure Default Initialization of Resource

HCL BigFix Query: Sensitive Info Disclosure via WebUI Query
CVE-2025-52602 4.2 - Medium - November 05, 2025

HCL BigFix Query is affected by a sensitive information disclosure in the WebUI Query application.  An HTTP GET endpoint request returns discoverable responses that may disclose: group names, active user names (or IDs).  An attacker can use that information to target individuals with phishing or other social-engineering attacks.

Privacy violation

CVE-2025-0277: HCL BigFix Mobile 3.3 CSP Insecure Directives XSS risk
CVE-2025-0277 6.5 - Medium - October 16, 2025

HCL BigFix Mobile 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.

Protection Mechanism Failure

HCL BigFix MCM <=3.3 CSP insecure directive vulnerability
CVE-2025-0276 6.5 - Medium - October 16, 2025

HCL BigFix Modern Client Management (MCM) 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.

Protection Mechanism Failure

HCL BigFix Mobile 3.3 Improper Access Control (CVE-2025-0275)
CVE-2025-0275 5.3 - Medium - October 16, 2025

HCL BigFix Mobile 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions.

Missing Authentication for Critical Function

Unauthorized Access in HCL BigFix MCM 3.3 and Earlier
CVE-2025-0274 5.3 - Medium - October 16, 2025

HCL BigFix Modern Client Management (MCM) 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions.

Missing Authentication for Critical Function

XSS in HCL BigFix Web Reports component
CVE-2023-37531 4.8 - Medium - February 29, 2024

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attacker to execute malicious javascript code into a form field of a webpage by a user with privileged access.

XSS

HCL BigFix XSS in Web Reports Save Report
CVE-2023-37528 6.1 - Medium - February 03, 2024

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform can possibly allow an attack to exploit an application parameter during execution of the Save Report.

XSS