Skip to main content

Bigfix Platform

57 CVEs product

Monthly

CVE-2026-21767 MEDIUM This Month

HCL BigFix Platform allows local attackers to bypass authentication and access sensitive application areas without credentials, affecting confidentiality of data. The vulnerability requires local access but no privileges or user interaction, and is classified as a moderate-risk authentication bypass (CVSS 4.0) with limited technical complexity. Patches are available through HCL vendor advisories.

Authentication Bypass Bigfix Platform
NVD VulDB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2024-42193 LOW Monitor

HCL BigFix Web Reports' service communicates over HTTPS but exhibits a weakness in its handling of SSL certificate validation. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Authentication Bypass Bigfix Platform
NVD
CVSS 4.0
2.1
EPSS
0.1%
CVE-2024-42200 MEDIUM This Month

HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Bigfix Platform
NVD
CVSS 4.0
4.8
EPSS
0.1%
CVE-2024-42189 MEDIUM This Month

HCL BigFix Web Reports might be subject to a Denial of Service (DoS) attack, due to a potentially weak validation of an API parameter. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Bigfix Platform
NVD
CVSS 4.0
5.6
EPSS
0.2%
CVE-2024-30117 MEDIUM This Month

A dynamic search for a prerequisite library could allow the possibility for an attacker to replace the correct file under some circumstances. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bigfix Platform
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2024-23556 HIGH This Week

SSL/TLS Renegotiation functionality potentially leading to DoS attack vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bigfix Platform
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-23554 HIGH This Week

Cross-Site Request Forgery (CSRF) on Session Token vulnerability that could potentially lead to Remote Code Execution (RCE). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE CSRF Bigfix Platform
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2024-23583 MEDIUM This Month

An attacker could potentially intercept credentials via the task manager and perform unauthorized access to the Client Deploy Tool on Windows systems. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Bigfix Platform
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2024-23553 MEDIUM This Month

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Bigfix Platform
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2023-37520 MEDIUM This Month

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9.5.12.68, allowing for potential data exfiltration. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Bigfix Platform
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2023-37519 MEDIUM This Month

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Bigfix Platform
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2023-37536 HIGH This Week

An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Integer Overflow Buffer Overflow Xerces C Bigfix Platform Fedora
NVD
CVSS 3.1
8.8
EPSS
1.4%
CVE-2022-42453 MEDIUM This Month

There are insufficient warnings when a Fixlet is imported by a user. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Bigfix Platform
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2022-38659 HIGH This Week

In specific scenarios, on Windows the operator credentials may be encrypted in a manner that is not completely machine-dependent. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Microsoft Bigfix Platform
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2020-14254 HIGH PATCH This Week

TLS-RSA cipher suites are not disabled in HCL BigFix Inventory up to v10.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Bigfix Platform
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2020-14248 MEDIUM This Month

BigFix Inventory up to v10.0.2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bigfix Platform
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2020-4095 MEDIUM This Month

"BigFix Platform is storing clear text credentials within the system's memory. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Bigfix Platform
NVD
CVSS 3.1
6.0
EPSS
0.2%
CVE-2019-4058 MEDIUM This Month

IBM BigFix Platform 9.2 and 9.5 could allow a low-privilege user to manipulate the UI into exposing interface elements and information normally restricted to administrators. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS IBM Bigfix Platform
NVD
CVSS 3.1
6.5
EPSS
0.9%
CVE-2019-4011 MEDIUM This Month

IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS IBM Bigfix Platform
NVD
CVSS 3.1
5.4
EPSS
0.7%
CVE-2019-4013 CRITICAL POC THREAT Act Now

IBM BigFix Platform 9.5 could allow any authenticated user to upload any file to any location on the server with root privileges. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload IBM RCE Bigfix Platform
NVD Exploit-DB
CVSS 3.0
9.9
EPSS
14.1%
CVE-2019-4061 MEDIUM POC THREAT This Month

IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the relay remotely and gather information about the updates and fixlets deployed to the associated sites due to not enabling. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD GitHub
CVSS 3.1
5.3
EPSS
22.5%
CVE-2018-1485 MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
4.3
EPSS
1.0%
CVE-2018-1484 LOW Monitor

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the secure attribute on authorization tokens or session cookies. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
3.7
EPSS
1.0%
CVE-2018-1481 MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 stores sensitive information in URL parameters. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
5.3
EPSS
1.2%
CVE-2018-1480 MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the 'HttpOnly' attribute on authorization tokens or session cookies. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation XSS IBM Bigfix Platform
NVD
CVSS 3.0
5.3
EPSS
1.1%
CVE-2018-1478 MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 could allow a remote attacker to hijack the clicking action of the victim. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2018-1476 HIGH This Week

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 discloses sensitive information to unauthorized users. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
7.5
EPSS
1.4%
CVE-2018-1474 MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS IBM Bigfix Platform
NVD
CVSS 3.0
4.7
EPSS
1.2%
CVE-2018-1600 HIGH This Week

IBM BigFix Platform 9.2 and 9.5 transmits sensitive or security-critical data in clear text in a communication channel that can be sniffed by unauthorized actors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
7.5
EPSS
1.1%
CVE-2018-1479 HIGH PATCH This Week

IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF IBM Bigfix Platform
NVD
CVSS 3.0
8.8
EPSS
0.7%
CVE-2018-1475 CRITICAL PATCH Act Now

IBM BigFix Platform 9.2 and 9.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
9.8
EPSS
2.2%
CVE-2018-1473 MEDIUM PATCH This Month

IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Bigfix Platform
NVD
CVSS 3.0
6.1
EPSS
0.9%
CVE-2017-1229 MEDIUM This Month

IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
5.9
EPSS
0.2%
CVE-2017-1221 CRITICAL Act Now

IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Brute Force IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
9.8
EPSS
0.3%
CVE-2017-1521 MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and Applications (IBM BigFix Platform 9.2 and 9.5) is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Bigfix Platform
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2017-1232 MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
5.9
EPSS
0.1%
CVE-2017-1230 MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2017-1228 LOW PATCH Monitor

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable the secure cookie attribute. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
3.7
EPSS
0.2%
CVE-2017-1226 MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) generates an error message in error logs that includes sensitive information about its environment which could be used in further attacks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
4.3
EPSS
0.2%
CVE-2017-1225 MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) stores sensitive information in URL parameters. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2017-1222 MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

IBM Authentication Bypass Bigfix Platform
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2017-1220 MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) discloses sensitive information to unauthorized users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2017-1227 HIGH PATCH This Week

IBM Tivoli Endpoint Manager could allow a unauthorized user to consume all resources and crash the system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service IBM Bigfix Platform
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2017-1224 HIGH This Week

IBM Tivoli Endpoint Manager uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
7.5
EPSS
0.1%
CVE-2017-1223 MEDIUM This Month

IBM Tivoli Endpoint Manager could allow a remote attacker to conduct phishing attacks, using an open redirect attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect IBM Bigfix Platform
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2017-1219 MEDIUM This Month

IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM Bigfix Platform
NVD
CVSS 3.0
6.5
EPSS
0.5%
CVE-2017-1218 HIGH This Week

IBM Tivoli Endpoint Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF IBM Bigfix Platform
NVD
CVSS 3.0
8.8
EPSS
0.1%
CVE-2017-1203 MEDIUM This Month

IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and Applications is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS IBM Bigfix Platform
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2016-0214 HIGH PATCH This Week

IBM Tivoli Endpoint Manager could allow a remote attacker to upload arbitrary files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

IBM Authentication Bypass Bigfix Platform
NVD
CVSS 3.0
7.8
EPSS
0.3%
CVE-2016-6085 MEDIUM PATCH This Month

IBM BigFix Platform could allow an attacker on the local network to crash the BES and relay servers. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity.

IBM Authentication Bypass Bigfix Platform
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2016-6084 MEDIUM PATCH This Month

IBM BigFix Platform could allow an attacker on the local network to crash the BES server using a specially crafted XMLSchema request. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity.

Denial Of Service IBM Bigfix Platform
NVD
CVSS 3.0
6.5
EPSS
0.2%
CVE-2016-6082 CRITICAL PATCH Act Now

IBM BigFix Platform could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free race condition. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption IBM Use After Free RCE Bigfix Platform
NVD
CVSS 3.0
10.0
EPSS
7.4%
CVE-2016-0396 HIGH PATCH This Week

IBM Tivoli Endpoint Manager could allow a user under special circumstances to inject commands that would be executed with unnecessary higher privileges than expected. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

IBM Command Injection Bigfix Platform
NVD
CVSS 3.0
8.1
EPSS
0.5%
CVE-2016-0297 LOW Monitor

IBM Tivoli Endpoint Manager - Mobile Device Management (MDM) could allow a remote attacker to obtain sensitive information due to a missing HTTP Strict-Transport-Security Header through man in the. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
3.7
EPSS
0.2%
CVE-2016-0296 LOW PATCH Monitor

IBM Tivoli Endpoint Manager - Mobile Device Management (MDM) stores potentially sensitive information in log files that could be available to a local user. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity.

IBM Information Disclosure Bigfix Platform
NVD
CVSS 3.0
3.3
EPSS
0.0%
CVE-2016-0293 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in IBM BigFix Platform (formerly Tivoli Endpoint Manager) 9.x before 9.1.8 and 9.2.x before 9.2.8 allows remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XSS Bigfix Platform
NVD
CVSS 3.0
6.1
EPSS
0.2%
CVE-2016-0269 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in IBM BigFix Platform 9.x before 9.1.8 and 9.2.x before 9.2.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XSS Bigfix Platform
NVD
CVSS 3.0
5.4
EPSS
0.2%
EPSS 0% CVSS 4.0
MEDIUM This Month

HCL BigFix Platform allows local attackers to bypass authentication and access sensitive application areas without credentials, affecting confidentiality of data. The vulnerability requires local access but no privileges or user interaction, and is classified as a moderate-risk authentication bypass (CVSS 4.0) with limited technical complexity. Patches are available through HCL vendor advisories.

Authentication Bypass Bigfix Platform
NVD VulDB
EPSS 0% CVSS 2.1
LOW Monitor

HCL BigFix Web Reports' service communicates over HTTPS but exhibits a weakness in its handling of SSL certificate validation. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Authentication Bypass Bigfix Platform
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

HCL BigFix Web Reports might be subject to a Stored Cross-Site Scripting (XSS) attack, due to a potentially weak validation of user input. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Bigfix Platform
NVD
EPSS 0% CVSS 5.6
MEDIUM This Month

HCL BigFix Web Reports might be subject to a Denial of Service (DoS) attack, due to a potentially weak validation of an API parameter. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Bigfix Platform
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A dynamic search for a prerequisite library could allow the possibility for an attacker to replace the correct file under some circumstances. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 7.5
HIGH This Week

SSL/TLS Renegotiation functionality potentially leading to DoS attack vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) on Session Token vulnerability that could potentially lead to Remote Code Execution (RCE). Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE CSRF Bigfix Platform
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

An attacker could potentially intercept credentials via the task manager and perform unauthorized access to the Client Deploy Tool on Windows systems. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Microsoft Bigfix Platform
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

A cross-site scripting (XSS) vulnerability in the Web Reports component of HCL BigFix Platform exists due to missing a specific http header attribute. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Bigfix Platform
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9.5.12.68, allowing for potential data exfiltration. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Bigfix Platform
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Bigfix Platform
NVD
EPSS 1% CVSS 8.8
HIGH This Week

An integer overflow in xerces-c++ 3.2.3 in BigFix Platform allows remote attackers to cause out-of-bound access via HTTP request. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Integer Overflow Buffer Overflow Xerces C +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

There are insufficient warnings when a Fixlet is imported by a user. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Bigfix Platform
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In specific scenarios, on Windows the operator credentials may be encrypted in a manner that is not completely machine-dependent. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Microsoft Bigfix Platform
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

TLS-RSA cipher suites are not disabled in HCL BigFix Inventory up to v10.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Bigfix Platform
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

BigFix Inventory up to v10.0.2 does not set the secure flag for the session cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 6.0
MEDIUM This Month

"BigFix Platform is storing clear text credentials within the system's memory. Rated medium severity (CVSS 6.0), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Bigfix Platform
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

IBM BigFix Platform 9.2 and 9.5 could allow a low-privilege user to manipulate the UI into exposing interface elements and information normally restricted to administrators. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS IBM Bigfix Platform
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS IBM Bigfix Platform
NVD
EPSS 14% CVSS 9.9
CRITICAL POC THREAT Act Now

IBM BigFix Platform 9.5 could allow any authenticated user to upload any file to any location on the server with root privileges. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload IBM RCE +1
NVD Exploit-DB
EPSS 23% CVSS 5.3
MEDIUM POC THREAT This Month

IBM BigFix Platform 9.2 and 9.5 could allow an attacker to query the relay remotely and gather information about the updates and fixlets deployed to the associated sites due to not enabling. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not renew a session variable after a successful authentication which could lead to session fixation/hijacking vulnerability. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 1% CVSS 3.7
LOW Monitor

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the secure attribute on authorization tokens or session cookies. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Session Fixation IBM Information Disclosure +1
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 stores sensitive information in URL parameters. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 does not set the 'HttpOnly' attribute on authorization tokens or session cookies. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Session Fixation XSS IBM +1
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 could allow a remote attacker to hijack the clicking action of the victim. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 1% CVSS 7.5
HIGH This Week

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 discloses sensitive information to unauthorized users. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 1% CVSS 4.7
MEDIUM This Month

IBM BigFix Platform 9.2.0 through 9.2.14 and 9.5 through 9.5.9 is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS IBM Bigfix Platform
NVD
EPSS 1% CVSS 7.5
HIGH This Week

IBM BigFix Platform 9.2 and 9.5 transmits sensitive or security-critical data in clear text in a communication channel that can be sniffed by unauthorized actors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 1% CVSS 8.8
HIGH PATCH This Week

IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

CSRF IBM Bigfix Platform
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

IBM BigFix Platform 9.2 and 9.5 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

IBM BigFix Platform 9.2 and 9.5 is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Bigfix Platform
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

IBM Tivoli Endpoint Manager (IBM BigFix 9.2 and 9.5) does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Brute Force IBM Information Disclosure +1
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and Applications (IBM BigFix Platform 9.2 and 9.5) is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS IBM Bigfix Platform
NVD
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 3.7
LOW PATCH Monitor

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable the secure cookie attribute. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) generates an error message in error logs that includes sensitive information about its environment which could be used in further attacks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) stores sensitive information in URL parameters. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) does not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

IBM Authentication Bypass Bigfix Platform
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

IBM Tivoli Endpoint Manager (IBM BigFix Platform 9.2 and 9.5) discloses sensitive information to unauthorized users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

IBM Tivoli Endpoint Manager could allow a unauthorized user to consume all resources and crash the system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service IBM Bigfix Platform
NVD
EPSS 0% CVSS 7.5
HIGH This Week

IBM Tivoli Endpoint Manager uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

IBM Tivoli Endpoint Manager could allow a remote attacker to conduct phishing attacks, using an open redirect attack. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect IBM Bigfix Platform
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

IBM Tivoli Endpoint Manager is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XXE IBM Bigfix Platform
NVD
EPSS 0% CVSS 8.8
HIGH This Week

IBM Tivoli Endpoint Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF IBM Bigfix Platform
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

IBM Tivoli Endpoint Manager (for Lifecycle/Power/Patch) Platform and Applications is vulnerable to cross-site scripting. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS IBM Bigfix Platform
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

IBM Tivoli Endpoint Manager could allow a remote attacker to upload arbitrary files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity.

IBM Authentication Bypass Bigfix Platform
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM BigFix Platform could allow an attacker on the local network to crash the BES and relay servers. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity.

IBM Authentication Bypass Bigfix Platform
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

IBM BigFix Platform could allow an attacker on the local network to crash the BES server using a specially crafted XMLSchema request. Rated medium severity (CVSS 6.5), this vulnerability is no authentication required, low attack complexity.

Denial Of Service IBM Bigfix Platform
NVD
EPSS 7% CVSS 10.0
CRITICAL PATCH Act Now

IBM BigFix Platform could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free race condition. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Memory Corruption IBM Use After Free +2
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

IBM Tivoli Endpoint Manager could allow a user under special circumstances to inject commands that would be executed with unnecessary higher privileges than expected. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

IBM Command Injection Bigfix Platform
NVD
EPSS 0% CVSS 3.7
LOW Monitor

IBM Tivoli Endpoint Manager - Mobile Device Management (MDM) could allow a remote attacker to obtain sensitive information due to a missing HTTP Strict-Transport-Security Header through man in the. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

IBM Tivoli Endpoint Manager - Mobile Device Management (MDM) stores potentially sensitive information in log files that could be available to a local user. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity.

IBM Information Disclosure Bigfix Platform
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in IBM BigFix Platform (formerly Tivoli Endpoint Manager) 9.x before 9.1.8 and 9.2.x before 9.2.8 allows remote attackers to inject arbitrary web script or. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

IBM XSS Bigfix Platform
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in IBM BigFix Platform 9.x before 9.1.8 and 9.2.x before 9.2.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

IBM XSS Bigfix Platform
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy