Skip to main content

HCL BigFix Service Management CVE-2025-31959

| EUVDEUVD-2025-209688 LOW
Exposure of Sensitive Information Through Metadata (CWE-1230)
2026-05-06 HCL GHSA-4w64-m6x6-926r
3.5
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 15:00 vuln.today

DescriptionCVE.org

HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. .

AnalysisAI

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadvertently expose sensitive location information and other metadata embedded in image files. The vulnerability requires user interaction (image upload and viewing) but poses a direct confidentiality risk to organizations handling location-sensitive imagery through the application.

Technical ContextAI

The vulnerability stems from CWE-1230 (Insufficient Logging of Exfiltration of Sensitive Information), which in this context manifests as the application's failure to sanitize or remove Exchangeable Image File Format (EXIF) data during image upload processing. EXIF metadata can contain GPS coordinates, camera settings, timestamps, and device identifiers embedded by cameras and smartphones. BigFix Service Management, an IT service management solution, processes user-uploaded images without stripping this metadata, creating an unintended information disclosure channel. The affected component operates across all versions of the affected CPE range (cpe:2.3:a:hcl_software:bigfix_service_management_(sm):*:*:*:*:*:*:*:*), indicating the flaw exists in the core image handling functionality.

RemediationAI

HCL has released guidance via support article KB0128144 (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144). Organizations should immediately consult this advisory for the patched version and upgrade timeline. As an interim compensating control, restrict image upload functionality to administrative users only and audit uploaded images for sensitive location data before they are shared or archived. Alternatively, educate users on the risks of uploading images from personal devices without removing EXIF data first; users can strip EXIF data locally using third-party tools (e.g., ExifTool, online stripping services) before uploading to BigFix SM. Implement access controls on image archives to limit exposure if metadata is already embedded. These workarounds do not remediate the underlying flaw but reduce the likelihood of accidental exposure until a patch is deployed.

CVE-2025-31976 HIGH
7.5 May 06

Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a b

CVE-2025-31960 MEDIUM
5.3 May 06

HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.

CVE-2025-31981 MEDIUM
5.3 Apr 21

HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers

CVE-2025-52613 MEDIUM
4.6 May 06

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat

CVE-2025-31978 MEDIUM
4.3 May 06

HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated

CVE-2025-31974 LOW
3.9 May 06

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti

CVE-2025-31984 LOW
3.7 May 06

HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s

CVE-2025-31958 LOW
3.7 Apr 21

HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing

CVE-2025-31982 LOW
3.7 May 06

HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface

CVE-2025-31983 LOW
3.7 May 06

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s

CVE-2025-31957 LOW
2.6 May 06

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated

CVE-2025-31975 LOW
2.6 May 06

HCL BigFix Service Management exposes server banner information containing software versions and system details accessib

Share

CVE-2025-31959 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy