Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. .
AnalysisAI
HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadvertently expose sensitive location information and other metadata embedded in image files. The vulnerability requires user interaction (image upload and viewing) but poses a direct confidentiality risk to organizations handling location-sensitive imagery through the application.
Technical ContextAI
The vulnerability stems from CWE-1230 (Insufficient Logging of Exfiltration of Sensitive Information), which in this context manifests as the application's failure to sanitize or remove Exchangeable Image File Format (EXIF) data during image upload processing. EXIF metadata can contain GPS coordinates, camera settings, timestamps, and device identifiers embedded by cameras and smartphones. BigFix Service Management, an IT service management solution, processes user-uploaded images without stripping this metadata, creating an unintended information disclosure channel. The affected component operates across all versions of the affected CPE range (cpe:2.3:a:hcl_software:bigfix_service_management_(sm):*:*:*:*:*:*:*:*), indicating the flaw exists in the core image handling functionality.
RemediationAI
HCL has released guidance via support article KB0128144 (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144). Organizations should immediately consult this advisory for the patched version and upgrade timeline. As an interim compensating control, restrict image upload functionality to administrative users only and audit uploaded images for sensitive location data before they are shared or archived. Alternatively, educate users on the risks of uploading images from personal devices without removing EXIF data first; users can strip EXIF data locally using third-party tools (e.g., ExifTool, online stripping services) before uploading to BigFix SM. Implement access controls on image archives to limit exposure if metadata is already embedded. These workarounds do not remediate the underlying flaw but reduce the likelihood of accidental exposure until a patch is deployed.
More in Bigfix Service Management Sm
View allCredential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a b
HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.
HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers
HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat
HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated
HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti
HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s
HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing
HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface
HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s
HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated
HCL BigFix Service Management exposes server banner information containing software versions and system details accessib
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209688
GHSA-4w64-m6x6-926r