Description
An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user lacking Master Operator privileges to retrieve site names, version information, and configuration variables from unprotected endpoints. The flaw arises from missing access controls and inadequate security headers, permitting visibility into internal data that should be restricted to privileged accounts.

Affected Systems

HCL Software’s BigFix WebUI is impacted. All deployments using this web interface are potentially vulnerable until an update that restores proper authorization is applied, as no specific version range is defined in the CNA data.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers require an authenticated session with non-privileged credentials and target endpoints that lack proper security headers to bypass privilege checks and access configuration data.

Generated by OpenCVE AI on May 9, 2026 at 06:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for HCL BigFix WebUI that restores proper authorization checks
  • Restrict WebUI access to users with Master Operator privileges or enforce stricter role‑based controls
  • Configure HTTP security headers (e.g., X‑Frame‑Options, X‑Content‑Type‑Options, Content‑Security‑Policy) on vulnerable endpoints
  • If a patch is not yet available, limit network exposure of the WebUI to trusted IP ranges

Generated by OpenCVE AI on May 9, 2026 at 06:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech bigfix Webui Api
Hcltech bigfix Webui Application Administration
Hcltech bigfix Webui Cmep
Hcltech bigfix Webui Common
Hcltech bigfix Webui Content App
Hcltech bigfix Webui Custom
Hcltech bigfix Webui Data Sync
Hcltech bigfix Webui Extensions
Hcltech bigfix Webui Framework
Hcltech bigfix Webui Insights
Hcltech bigfix Webui Ivr
Hcltech bigfix Webui Mdm
Hcltech bigfix Webui Patch
Hcltech bigfix Webui Patch Policies
Hcltech bigfix Webui Permissions And Preferences
Hcltech bigfix Webui Profile Management
Hcltech bigfix Webui Query
Hcltech bigfix Webui Reports
Hcltech bigfix Webui Scm
Hcltech bigfix Webui Software Distribution
Hcltech bigfix Webui Take Action
CPEs cpe:2.3:a:hcltech:bigfix_webui_api:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_application_administration:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_cmep:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_common:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_content_app:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_custom:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_data_sync:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_extensions:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_insights:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_ivr:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_mdm:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_patch:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_patch_policies:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_permissions_and_preferences:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_profile_management:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_query:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_reports:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_scm:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_software_distribution:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_take_action:*:*:*:*:*:*:*:*
Vendors & Products Hcltech bigfix Webui Api
Hcltech bigfix Webui Application Administration
Hcltech bigfix Webui Cmep
Hcltech bigfix Webui Common
Hcltech bigfix Webui Content App
Hcltech bigfix Webui Custom
Hcltech bigfix Webui Data Sync
Hcltech bigfix Webui Extensions
Hcltech bigfix Webui Framework
Hcltech bigfix Webui Insights
Hcltech bigfix Webui Ivr
Hcltech bigfix Webui Mdm
Hcltech bigfix Webui Patch
Hcltech bigfix Webui Patch Policies
Hcltech bigfix Webui Permissions And Preferences
Hcltech bigfix Webui Profile Management
Hcltech bigfix Webui Query
Hcltech bigfix Webui Reports
Hcltech bigfix Webui Scm
Hcltech bigfix Webui Software Distribution
Hcltech bigfix Webui Take Action
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech bigfix Webui
Vendors & Products Hcltech
Hcltech bigfix Webui

Sat, 09 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.
Title HCL BigFix WebUI is affected by an improper authorization vulnerability
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Hcltech Bigfix Webui Bigfix Webui Api Bigfix Webui Application Administration Bigfix Webui Cmep Bigfix Webui Common Bigfix Webui Content App Bigfix Webui Custom Bigfix Webui Data Sync Bigfix Webui Extensions Bigfix Webui Framework Bigfix Webui Insights Bigfix Webui Ivr Bigfix Webui Mdm Bigfix Webui Patch Bigfix Webui Patch Policies Bigfix Webui Permissions And Preferences Bigfix Webui Profile Management Bigfix Webui Query Bigfix Webui Reports Bigfix Webui Scm Bigfix Webui Software Distribution Bigfix Webui Take Action
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-11T17:30:11.814Z

Reserved: 2026-04-14T05:56:25.354Z

Link: CVE-2025-15633

cve-icon Vulnrichment

Updated: 2026-05-11T17:30:01.186Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-09T06:16:07.413

Modified: 2026-05-14T20:28:21.457

Link: CVE-2025-15633

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T20:00:05Z

Weaknesses