Skip to main content

Bigfix Service Management Sm

13 CVEs product

Monthly

CVE-2025-31960 MEDIUM This Month

HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module. Unauthenticated remote attackers can trigger unhandled exceptions by submitting invalid or out-of-range values to the consumer_company parameter during report-viewing requests, exposing application details in error messages. CVSS score is moderate (5.3) but reflects low confidentiality impact with no integrity or availability impact.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-31974 LOW Monitor

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenticated users with user interaction to make unauthorized modifications to critical system components. The vulnerability requires administrative privileges and user consent (CVSS:3.1/AV:N/AC:H/PR:H/UI:R), resulting in limited confidentiality, integrity, and availability impacts. No active exploitation has been publicly reported.

Authentication Bypass Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
3.9
EPSS
0.0%
CVE-2025-31975 LOW Monitor

HCL BigFix Service Management exposes server banner information containing software versions and system details accessible to adjacent network attackers through a non-default interaction, enabling reconnaissance for targeted attacks against known vulnerabilities. The vulnerability requires adjacent network access and user interaction, resulting in limited confidentiality impact with no integrity or availability consequences. CVSS 2.6 indicates low severity, though information disclosure can facilitate secondary attacks.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
2.6
EPSS
0.0%
CVE-2025-52613 MEDIUM This Month

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the application to known security weaknesses. Authenticated local attackers with high complexity conditions can achieve limited information disclosure and integrity compromise (CVSS 4.6). No active exploitation or public POC identified at time of analysis.

Authentication Bypass Information Disclosure Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
4.6
EPSS
0.0%
CVE-2025-31976 HIGH This Week

Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a brief window while the application communicates with an internal backend service, which an attacker who can capture that traffic could reuse to authenticate to the backend. The flaw was self-reported by HCL and carries a CVSS 7.5 (confidentiality-only) rating; there is no public exploit identified at time of analysis and EPSS is negligible (0.03%, 8th percentile). CISA's SSVC framing rates exploitation as none and the issue as not automatable, indicating low immediate urgency.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-31978 MEDIUM This Month

HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated users to inject formulas or malicious content that executes when recipients open the files in spreadsheet applications. An attacker with legitimate service management access can craft payloads in data fields that, when exported and opened by targeted users, may exfiltrate information or trigger unintended actions-though modern Excel versions mitigate this with untrusted content warnings. CVSS 4.6 reflects moderate risk limited to authenticated users and required user interaction (opening the file).

Information Disclosure Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-31959 LOW Monitor

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadvertently expose sensitive location information and other metadata embedded in image files. The vulnerability requires user interaction (image upload and viewing) but poses a direct confidentiality risk to organizations handling location-sensitive imagery through the application.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-31982 LOW Monitor

HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface but can be reached through direct URL access, enabling authenticated users with low privileges to disclose sensitive information or access restricted functionality. The vulnerability requires authenticated access, user interaction, and higher-than-average attack complexity; active exploitation status has not been confirmed.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-31984 LOW Monitor

HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type sniffing that could lead to malicious content being interpreted as executable code. The vulnerability requires local authentication, high attack complexity, and user interaction, affecting confidentiality and availability with a CVSS score of 3.7. No active exploitation or public exploit code is documented at time of analysis.

Information Disclosure Bigfix Service Management Sm
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-31983 LOW Monitor

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-site scripting (XSS) attacks. Authenticated users with low privileges can inject malicious scripts by exploiting insufficient CSP directives, potentially exposing sensitive information or hijacking user sessions. The vulnerability requires user interaction (UI:R) and operates in a non-global scope, limiting but not eliminating real-world risk.

XSS Bigfix Service Management Sm
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-31957 LOW Monitor

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated users with sufficient privileges to perform unauthorized actions or access sensitive data through malicious web requests. The vulnerability requires user interaction (such as clicking a malicious link) and affects confidentiality but not integrity or availability, resulting in a CVSS score of 2.6. No active exploitation has been publicly reported.

Information Disclosure CSRF Bigfix Service Management Sm
NVD
CVSS 3.1
2.6
EPSS
0.0%
CVE-2025-31981 MEDIUM This Month

HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers to passively intercept and read sensitive data in transit without authentication or user interaction. The vulnerability exposes confidential information including credentials and system details to packet sniffing attacks on any network where the service is accessible.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-31958 LOW Monitor

HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing inconsistencies between front-end and back-end servers, potentially leading to limited information disclosure through cache poisoning or request hijacking attacks. The vulnerability has a CVSS score of 3.7 with low confidentiality impact but no direct availability or integrity impact.

Authentication Bypass Request Smuggling Bigfix Service Management Sm
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
EPSS 0% CVSS 5.3
MEDIUM This Month

HCL BigFix Service Management (SM) leaks sensitive information through improper error handling in its reporting module. Unauthenticated remote attackers can trigger unhandled exceptions by submitting invalid or out-of-range values to the consumer_company parameter during report-viewing requests, exposing application details in error messages. CVSS score is moderate (5.3) but reflects low confidentiality impact with no integrity or availability impact.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 3.9
LOW Monitor

HCL BigFix Service Management is vulnerable to improper root filesystem configuration, allowing high-privileged authenticated users with user interaction to make unauthorized modifications to critical system components. The vulnerability requires administrative privileges and user consent (CVSS:3.1/AV:N/AC:H/PR:H/UI:R), resulting in limited confidentiality, integrity, and availability impacts. No active exploitation has been publicly reported.

Authentication Bypass Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 2.6
LOW Monitor

HCL BigFix Service Management exposes server banner information containing software versions and system details accessible to adjacent network attackers through a non-default interaction, enabling reconnaissance for targeted attacks against known vulnerabilities. The vulnerability requires adjacent network access and user interaction, resulting in limited confidentiality impact with no integrity or availability consequences. CVSS 2.6 indicates low severity, though information disclosure can facilitate secondary attacks.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

HCL BigFix Service Management (SM) contains an insecure or outdated WSGI server implementation that exposes the application to known security weaknesses. Authenticated local attackers with high complexity conditions can achieve limited information disclosure and integrity compromise (CVSS 4.6). No active exploitation or public POC identified at time of analysis.

Authentication Bypass Information Disclosure Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

Credential exposure in HCL BigFix Service Management (SM) version 23 leaves credentials insufficiently protected for a brief window while the application communicates with an internal backend service, which an attacker who can capture that traffic could reuse to authenticate to the backend. The flaw was self-reported by HCL and carries a CVSS 7.5 (confidentiality-only) rating; there is no public exploit identified at time of analysis and EPSS is negligible (0.03%, 8th percentile). CISA's SSVC framing rates exploitation as none and the issue as not automatable, indicating low immediate urgency.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

HCL BigFix Service Management fails to sanitize spreadsheet data (CSV, XLS, XLSX) before export, allowing authenticated users to inject formulas or malicious content that executes when recipients open the files in spreadsheet applications. An attacker with legitimate service management access can craft payloads in data fields that, when exported and opened by targeted users, may exfiltrate information or trigger unintended actions-though modern Excel versions mitigate this with untrusted content warnings. CVSS 4.6 reflects moderate risk limited to authenticated users and required user interaction (opening the file).

Information Disclosure Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 3.5
LOW Monitor

HCL BigFix Service Management fails to strip EXIF metadata from uploaded images, allowing authenticated users to inadvertently expose sensitive location information and other metadata embedded in image files. The vulnerability requires user interaction (image upload and viewing) but poses a direct confidentiality risk to organizations handling location-sensitive imagery through the application.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 3.7
LOW Monitor

HCL BigFix Service Management contains unauthenticated-accessible directories that are not linked in the user interface but can be reached through direct URL access, enabling authenticated users with low privileges to disclose sensitive information or access restricted functionality. The vulnerability requires authenticated access, user interaction, and higher-than-average attack complexity; active exploitation status has not been confirmed.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 3.7
LOW Monitor

HCL BigFix Service Management lacks secure X-Content-Type-Options HTTP headers, allowing browsers to perform MIME-type sniffing that could lead to malicious content being interpreted as executable code. The vulnerability requires local authentication, high attack complexity, and user interaction, affecting confidentiality and availability with a CVSS score of 3.7. No active exploitation or public exploit code is documented at time of analysis.

Information Disclosure Bigfix Service Management Sm
NVD
EPSS 0% CVSS 3.7
LOW Monitor

HCL BigFix Service Management (SM) contains a Content Security Policy (CSP) header misconfiguration that enables cross-site scripting (XSS) attacks. Authenticated users with low privileges can inject malicious scripts by exploiting insufficient CSP directives, potentially exposing sensitive information or hijacking user sessions. The vulnerability requires user interaction (UI:R) and operates in a non-global scope, limiting but not eliminating real-world risk.

XSS Bigfix Service Management Sm
NVD
EPSS 0% CVSS 2.6
LOW Monitor

HCL BigFix Service Management (SM) contains a cross-site request forgery (CSRF) vulnerability that allows authenticated users with sufficient privileges to perform unauthorized actions or access sensitive data through malicious web requests. The vulnerability requires user interaction (such as clicking a malicious link) and affects confidentiality but not integrity or availability, resulting in a CVSS score of 2.6. No active exploitation has been publicly reported.

Information Disclosure CSRF Bigfix Service Management Sm
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

HCL BigFix Service Management Discovery accepts unencrypted HTTP traffic on port 80, allowing network-adjacent attackers to passively intercept and read sensitive data in transit without authentication or user interaction. The vulnerability exposes confidential information including credentials and system details to packet sniffing attacks on any network where the service is accessible.

Information Disclosure Bigfix Service Management Sm
NVD VulDB
EPSS 0% CVSS 3.7
LOW Monitor

HTTP request smuggling in HCL BigFix Service Management allows remote unauthenticated attackers to exploit HTTP parsing inconsistencies between front-end and back-end servers, potentially leading to limited information disclosure through cache poisoning or request hijacking attacks. The vulnerability has a CVSS score of 3.7 with low confidentiality impact but no direct availability or integrity impact.

Authentication Bypass Request Smuggling Bigfix Service Management Sm
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy