Skip to main content

HCL BigFix Service Management EUVDEUVD-2025-209701

| CVE-2025-31984 LOW
Information Exposure (CWE-200)
2026-05-06 HCL GHSA-jfx8-f9m6-qfgw
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 15:00 vuln.today

DescriptionCVE.org

HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.

AnalysisAI

HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type sniffing that could lead to malicious content being interpreted as executable code. The vulnerability requires local authentication, high attack complexity, and user interaction, affecting confidentiality and availability with a CVSS score of 3.7. No active exploitation or public exploit code is documented at time of analysis.

Technical ContextAI

The X-Content-Type-Options HTTP response header (specifically the 'nosniff' directive) prevents MIME-type sniffing attacks where browsers guess the content type of resources instead of respecting server-declared types. HCL BigFix Service Management fails to set this header on HTTP responses, allowing an authenticated user with user interaction to trigger browser interpretation of malicious content (e.g., serving JavaScript as text/html). This is categorized as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), which covers security configuration issues that expose data or functionality. The affected product is HCL BigFix Service Management (all versions indicated by CPE wildcard matching).

RemediationAI

Upgrade HCL BigFix Service Management to a patched version released by HCL (exact version numbers not specified in available advisory - consult KB0128144 for the specific fix version applicable to your deployment). Ensure your installation receives the security update that includes the X-Content-Type-Options: nosniff header in HTTP responses. If patching cannot be applied immediately, configure web application firewalls or reverse proxies (if deployed behind one) to inject the X-Content-Type-Options: nosniff header into all BigFix SM responses, though this workaround does not address the underlying misconfiguration and may be bypassed if clients connect directly to the application. Additionally, restrict BigFix SM access to internal networks or behind authentication gateways to reduce exposure to unauthenticated attack surface, minimizing scenarios where users interact with untrusted content.

CVE-2024-30151 HIGH
8.3 May 06

HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation.

CVE-2025-31976 HIGH
7.5 May 06

Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a b

CVE-2025-31960 MEDIUM
5.3 May 06

HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module.

CVE-2025-31981 MEDIUM
5.3 Apr 21

HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers

CVE-2025-52613 MEDIUM
4.6 May 06

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the applicat

CVE-2025-31978 MEDIUM
4.3 May 06

HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated

CVE-2025-31974 LOW
3.9 May 06

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenti

CVE-2025-31958 LOW
3.7 Apr 21

HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing

CVE-2025-31982 LOW
3.7 May 06

HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface

CVE-2025-31983 LOW
3.7 May 06

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-s

CVE-2025-31959 LOW
3.5 May 06

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadver

CVE-2025-31957 LOW
2.6 May 06

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated

Share

EUVD-2025-209701 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy