Skip to main content

HCL BigFix Service Management CVE-2025-31983

| EUVDEUVD-2025-209699 LOW
Improperly Implemented Security Check for Standard (CWE-358)
2026-05-06 HCL GHSA-rmc9-985c-h9wg
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 15:00 vuln.today

DescriptionCVE.org

HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information.

AnalysisAI

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-site scripting (XSS) attacks. Authenticated users with low privileges can inject malicious scripts by exploiting insufficient CSP directives, potentially exposing sensitive information or hijacking user sessions. The vulnerability requires user interaction (UI:R) and operates in a non-global scope, limiting but not eliminating real-world risk.

Technical ContextAI

The vulnerability stems from inadequate Content Security Policy (CSP) header configuration (CWE-358: Improperly Restricted Operations within Bounds of a Buffer), a web security control designed to prevent inline script injection and restrict script sources. BigFix Service Management, an enterprise IT service management platform typically deployed in security-sensitive environments, relies on CSP headers to defend against XSS attacks. When CSP headers are misconfigured-such as allowing 'unsafe-inline', overly permissive sources, or missing directives-attackers can inject JavaScript into the application context. The CPE indicates all versions of HCL BigFix Service Management (SM) are potentially affected, suggesting the misconfiguration is present across the product line until a patched version is released.

RemediationAI

Immediate action requires applying the security patch from HCL Software. Users should review HCL support article KB0128144 for the specific patched version applicable to their deployment. The primary fix involves HCL updating CSP headers to enforce strict directives, eliminating 'unsafe-inline' script sources and limiting script-src to whitelisted, non-external origins. If an immediate patch is unavailable, implement compensating controls: configure a Web Application Firewall (WAF) with rules to detect and block JavaScript injection patterns in request payloads and enforce Content-Security-Policy headers at the reverse proxy level with directives such as 'script-src self' and 'default-src self'. These controls reduce attack surface but may impact legitimate functionality if the application relies on inline scripts; coordinate with HCL support before deployment. Restrict access to BigFix Service Management administrative and authoring interfaces to trusted networks and apply rate-limiting and request validation on all user input fields.

CVE-2024-30151 HIGH
8.3 May 06

HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation.

CVE-2025-31976 HIGH
7.5 May 06

Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a b

CVE-2025-31960 MEDIUM
5.3 May 06

HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.

CVE-2025-31981 MEDIUM
5.3 Apr 21

HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers

CVE-2025-52613 MEDIUM
4.6 May 06

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat

CVE-2025-31978 MEDIUM
4.3 May 06

HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated

CVE-2025-31974 LOW
3.9 May 06

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti

CVE-2025-31984 LOW
3.7 May 06

HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s

CVE-2025-31958 LOW
3.7 Apr 21

HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing

CVE-2025-31982 LOW
3.7 May 06

HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface

CVE-2025-31959 LOW
3.5 May 06

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadver

CVE-2025-31957 LOW
2.6 May 06

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated

Share

CVE-2025-31983 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy