Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
The HCL BigFix SCM Reporting site contains an outdated and unsupported version of the jQuery 1.x library. Since jQuery 1.x has reached end-of-life and no longer receives security updates, it may expose the application to publicly known security weaknesses and increase the risk of client-side attacks such as Cross-Site Scripting (XSS) or manipulation through vulnerable third-party components.
AnalysisAI
Use of an end-of-life jQuery 1.x library in HCL BigFix SCM Reporting 11.0.5 exposes the management console to client-side attacks, including DOM-based XSS, inherited from publicly known unpatched flaws in the dependency. With no public exploit identified at time of analysis and a very low EPSS score (0.04%), the CVSS 8.3 rating reflects high theoretical impact rather than confirmed in-the-wild abuse, though successful exploitation requires user interaction with a crafted resource.
Technical ContextAI
The vulnerability falls under CWE-1104 (Use of Unmaintained Third Party Components). HCL BigFix SCM Reporting - the Security Configuration Management reporting site within the BigFix endpoint management platform - bundles jQuery 1.x, a major version line whose final release (1.12.4) shipped in 2016 and which the jQuery Foundation no longer issues security patches for. Known jQuery 1.x weaknesses include prototype pollution and DOM XSS sinks in $.parseHTML, $.extend, and selectors that interpret untrusted strings as HTML (CVE-2015-9251, CVE-2019-11358, CVE-2020-11022/11023). Because BigFix SCM Reporting is a browser-based administrative console used by operators reviewing endpoint compliance data, any DOM sink reachable through report parameters, query strings, or rendered endpoint data inherits these weaknesses.
RemediationAI
Patch status is not confirmed from the available data - consult the HCL knowledge base article at https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130744 for the fixed BigFix SCM Reporting build, which is expected to upgrade the bundled jQuery to a supported 3.x release. Until the patched build is applied, restrict access to the SCM Reporting site to a trusted management VLAN or jump-host network and require operators to authenticate through SSO with short session timeouts to shrink the UI:R exposure window; trade-off is reduced convenience for distributed administrators. Where feasible, deploy a strict Content Security Policy on the reporting site to constrain inline script and untrusted HTML rendering, accepting that aggressive CSP may break legacy report widgets and require tuning.
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30155
GHSA-246p-fh28-56r9