Skip to main content

HCL BigFix Service Management EUVDEUVD-2025-209687

| CVE-2025-31957 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-06 HCL
2.6
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
2.6 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 15:00 vuln.today

DescriptionCVE.org

HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability. This could lead to unauthorized changes or exposure of sensitive data.

AnalysisAI

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated users with sufficient privileges to perform unauthorized actions or access sensitive data through malicious web requests. The vulnerability requires user interaction (such as clicking a malicious link) and affects confidentiality but not integrity or availability, resulting in a CVSS score of 2.6. No active exploitation has been publicly reported.

Technical ContextAI

CSRF vulnerabilities (CWE-352) occur when web applications accept state-changing requests without verifying that the request originated from the legitimate user. HCL BigFix Service Management, an IT service management platform, fails to implement proper anti-CSRF protections such as synchronization tokens or SameSite cookie attributes. An authenticated user with login privileges could be tricked into initiating unintended actions on the platform. The vulnerability affects all versions of the product according to the CPE specification (cpe:2.3:a:hcl_software:bigfix_service_management_(sm):*:*:*:*:*:*:*:*), though patch versions may exist.

RemediationAI

Apply the security patch released by HCL, available at the vendor advisory URL: https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144. Consult this advisory for the specific patched version applicable to your installation. Until patches can be deployed, implement compensating controls: enable SameSite cookie attributes (set to 'Strict' or 'Lax') on all BigFix SM session cookies to prevent CSRF attacks across cross-site scenarios; implement Content Security Policy (CSP) headers to restrict form submissions to same-origin requests; educate users on avoiding suspicious links in emails or messages that claim to be from IT administration; and consider restricting access to BigFix SM administrative functions to internal networks only using firewall or VPN rules. Note that these controls do not fully eliminate the vulnerability and are temporary measures pending patch deployment.

CVE-2024-30151 HIGH
8.3 May 06

HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation.

CVE-2025-31976 HIGH
7.5 May 06

Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a b

CVE-2025-31960 MEDIUM
5.3 May 06

HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.

CVE-2025-31981 MEDIUM
5.3 Apr 21

HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers

CVE-2025-52613 MEDIUM
4.6 May 06

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat

CVE-2025-31978 MEDIUM
4.3 May 06

HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated

CVE-2025-31974 LOW
3.9 May 06

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti

CVE-2025-31984 LOW
3.7 May 06

HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type s

CVE-2025-31958 LOW
3.7 Apr 21

HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing

CVE-2025-31982 LOW
3.7 May 06

HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface

CVE-2025-31983 LOW
3.7 May 06

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s

CVE-2025-31959 LOW
3.5 May 06

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadver

Share

EUVD-2025-209687 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy