Skip to main content

HCL BigFix Service Management CVE-2025-31960

| EUVDEUVD-2025-209704 MEDIUM
Error Message Information Leak (CWE-209)
2026-05-06 HCL
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 19:00 vuln.today

DescriptionCVE.org

HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception.

AnalysisAI

HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module. Unauthenticated remote attackers can trigger unhandled exceptions by submitting invalid or out-of-range values to the consumer_company parameter during report-viewing requests, exposing application details in error messages. CVSS score is moderate (5.3) but reflects low confidentiality impact with no integrity or availability impact.

Technical ContextAI

The vulnerability stems from CWE-209 (Information Exposure Through an Error Message), a common flaw where application error handling reveals sensitive technical details to attackers. In BigFix Service Management's reporting module, the parameter validation mechanism for consumer_company fails to sanitize exceptions before displaying them to users. The consumer_company parameter likely maps to an internal database query or business logic layer; when an invalid or out-of-range value is supplied, the application throws an unhandled exception that leaks debugging information, stack traces, database schema details, or other sensitive context. This is a classic information disclosure vulnerability with network-accessible attack surface (AV:N) requiring no authentication (PR:N) and no user interaction (UI:N).

RemediationAI

Apply the patch issued by HCL for BigFix Service Management as documented in vendor advisory KB0128144 (https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144). The patch adds proper input validation and exception handling to the consumer_company parameter in the reporting module, preventing error messages from leaking sensitive details. As an interim compensating control, restrict access to the BigFix SM reporting module via network firewall rules or WAF policies to trusted IP ranges only, and enable HTTP response body filtering to suppress stack traces and debugging information from reaching end users. Consider deploying a reverse proxy with error page rewriting to mask backend exceptions. These controls reduce information leakage but do not address the root cause and may impact legitimate users requiring debugging access.

CVE-2024-30151 HIGH
8.3 May 06

HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation.

CVE-2025-31976 HIGH
7.5 May 06

Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a b

CVE-2025-31981 MEDIUM
5.3 Apr 21

HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers

CVE-2025-52613 MEDIUM
4.6 May 06

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat

CVE-2025-31978 MEDIUM
4.3 May 06

HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated

CVE-2025-31974 LOW
3.9 May 06

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti

CVE-2025-31984 LOW
3.7 May 06

HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s

CVE-2025-31958 LOW
3.7 Apr 21

HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing

CVE-2025-31982 LOW
3.7 May 06

HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface

CVE-2025-31983 LOW
3.7 May 06

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s

CVE-2025-31959 LOW
3.5 May 06

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadver

CVE-2025-31957 LOW
2.6 May 06

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated

Share

CVE-2025-31960 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy