What is the CVSS score of CVE-2025-31983?

CVE-2025-31983 has a CVSS 3.1 base score of 3.7 (Low). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L. EPSS exploitation probability: 0.0%.

HCL BigFix Service Management CVE-2025-31983

EUVD-2025-209699 LOW

Improperly Implemented Security Check for Standard (CWE-358)

2026-05-06 HCL

GHSA-rmc9-985c-h9wg

XSS

3.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Lifecycle Timeline

Analysis Generated

May 06, 2026 - 15:00 vuln.today

DescriptionNVD

HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information.

AnalysisAI

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-site scripting (XSS) attacks. Authenticated users with low privileges can inject malicious scripts by exploiting insufficient CSP directives, potentially exposing sensitive information or hijacking user sessions. The vulnerability requires user interaction (UI:R) and operates in a non-global scope, limiting but not eliminating real-world risk.

Technical ContextAI

The vulnerability stems from inadequate Content Security Policy (CSP) header configuration (CWE-358: Improperly Restricted Operations within Bounds of a Buffer), a web security control designed to prevent inline script injection and restrict script sources. BigFix Service Management, an enterprise IT service management platform typically deployed in security-sensitive environments, relies on CSP headers to defend against XSS attacks. When CSP headers are misconfigured-such as allowing 'unsafe-inline', overly permissive sources, or missing directives-attackers can inject JavaScript into the application context. The CPE indicates all versions of HCL BigFix Service Management (SM) are potentially affected, suggesting the misconfiguration is present across the product line until a patched version is released.

RemediationAI

Immediate action requires applying the security patch from HCL Software. Users should review HCL support article KB0128144 for the specific patched version applicable to their deployment. The primary fix involves HCL updating CSP headers to enforce strict directives, eliminating 'unsafe-inline' script sources and limiting script-src to whitelisted, non-external origins. If an immediate patch is unavailable, implement compensating controls: configure a Web Application Firewall (WAF) with rules to detect and block JavaScript injection patterns in request payloads and enforce Content-Security-Policy headers at the reverse proxy level with directives such as 'script-src self' and 'default-src self'. These controls reduce attack surface but may impact legitimate functionality if the application relies on inline scripts; coordinate with HCL support before deployment. Restrict access to BigFix Service Management administrative and authoring interfaces to trusted networks and apply rate-limiting and request validation on all user input fields.

CVE-2025-31983 vulnerability details – vuln.today

Back