Description
A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in HCL BigFix WebUI lets an authenticated user without the correct permissions view sensitive environmental details via a direct URL to the restricted page. This flaw, classified as CWE‑862, results in unauthorized disclosure of confidential data and could facilitate further reconnaissance or credential misuse by an attacker who has an account but insufficient privileges. The impact is a breach of confidentiality for the exposed environment information, but it does not directly allow remote code execution or denial of service.

Affected Systems

The vulnerability affects HCL Software’s BigFix WebUI. No specific product versions are listed by the CNA, so any installation of BigFix WebUI that predates the public fix may be at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog, suggesting no known active exploitation. Exploitation requires the attacker to possess a valid user account, but it does not rely on unauthenticated access. The attack path is straightforward: an authenticated user simply navigates to the restricted URL, and the missing authorization check allows the data to be displayed. Because the flaw does not involve remote code execution or privilege escalation, the likelihood of widespread exploitation remains low, though illicit disclosure of environment data is possible.

Generated by OpenCVE AI on May 9, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest HCL BigFix WebUI release that includes the authorization fix.
  • If a patch is not yet available, block or restrict direct access to the sensitive URL using web‑server configuration (e.g., .htaccess, Nginx rewrite rules) or an intermediate authorization layer.
  • Review all user accounts and remove any that have unnecessary rights to view environment information, enforcing least privilege.
  • Monitor web‑server logs for unauthorized attempts to access the restricted page and investigate any anomalies.

Generated by OpenCVE AI on May 9, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech bigfix Webui Api
Hcltech bigfix Webui Application Administration
Hcltech bigfix Webui Cmep
Hcltech bigfix Webui Common
Hcltech bigfix Webui Content App
Hcltech bigfix Webui Custom
Hcltech bigfix Webui Data Sync
Hcltech bigfix Webui Extensions
Hcltech bigfix Webui Framework
Hcltech bigfix Webui Insights
Hcltech bigfix Webui Ivr
Hcltech bigfix Webui Mdm
Hcltech bigfix Webui Patch
Hcltech bigfix Webui Patch Policies
Hcltech bigfix Webui Permissions And Preferences
Hcltech bigfix Webui Profile Management
Hcltech bigfix Webui Query
Hcltech bigfix Webui Reports
Hcltech bigfix Webui Scm
Hcltech bigfix Webui Software Distribution
Hcltech bigfix Webui Take Action
CPEs cpe:2.3:a:hcltech:bigfix_webui_api:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_application_administration:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_cmep:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_common:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_content_app:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_custom:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_data_sync:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_extensions:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_framework:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_insights:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_ivr:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_mdm:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_patch:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_patch_policies:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_permissions_and_preferences:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_profile_management:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_query:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_reports:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_scm:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_software_distribution:*:*:*:*:*:*:*:*
cpe:2.3:a:hcltech:bigfix_webui_take_action:*:*:*:*:*:*:*:*
Vendors & Products Hcltech bigfix Webui Api
Hcltech bigfix Webui Application Administration
Hcltech bigfix Webui Cmep
Hcltech bigfix Webui Common
Hcltech bigfix Webui Content App
Hcltech bigfix Webui Custom
Hcltech bigfix Webui Data Sync
Hcltech bigfix Webui Extensions
Hcltech bigfix Webui Framework
Hcltech bigfix Webui Insights
Hcltech bigfix Webui Ivr
Hcltech bigfix Webui Mdm
Hcltech bigfix Webui Patch
Hcltech bigfix Webui Patch Policies
Hcltech bigfix Webui Permissions And Preferences
Hcltech bigfix Webui Profile Management
Hcltech bigfix Webui Query
Hcltech bigfix Webui Reports
Hcltech bigfix Webui Scm
Hcltech bigfix Webui Software Distribution
Hcltech bigfix Webui Take Action
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech bigfix Webui
Vendors & Products Hcltech
Hcltech bigfix Webui

Sat, 09 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page.
Title HCL BigFix WebUI is affected by a missing authorization vulnerability
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hcltech Bigfix Webui Bigfix Webui Api Bigfix Webui Application Administration Bigfix Webui Cmep Bigfix Webui Common Bigfix Webui Content App Bigfix Webui Custom Bigfix Webui Data Sync Bigfix Webui Extensions Bigfix Webui Framework Bigfix Webui Insights Bigfix Webui Ivr Bigfix Webui Mdm Bigfix Webui Patch Bigfix Webui Patch Policies Bigfix Webui Permissions And Preferences Bigfix Webui Profile Management Bigfix Webui Query Bigfix Webui Reports Bigfix Webui Scm Bigfix Webui Software Distribution Bigfix Webui Take Action
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-11T15:20:56.101Z

Reserved: 2026-04-14T05:56:28.569Z

Link: CVE-2025-15634

cve-icon Vulnrichment

Updated: 2026-05-11T15:20:52.154Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-09T06:16:09.130

Modified: 2026-05-14T20:28:14.120

Link: CVE-2025-15634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T20:00:05Z

Weaknesses