Description
A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in HCL BigFix WebUI lets an authenticated user without the correct permissions view sensitive environmental details via a direct URL to the restricted page. This flaw, classified as CWE‑862, results in unauthorized disclosure of confidential data and could facilitate further reconnaissance or credential misuse by an attacker who has an account but insufficient privileges. The impact is a breach of confidentiality for the exposed environment information, but it does not directly allow remote code execution or denial of service.

Affected Systems

The vulnerability affects HCL Software’s BigFix WebUI. No specific product versions are listed by the CNA, so any installation of BigFix WebUI that predates the public fix may be at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score is not available, and the issue is not listed in CISA’s KEV catalog, suggesting no known active exploitation. Exploitation requires the attacker to possess a valid user account, but it does not rely on unauthenticated access. The attack path is straightforward: an authenticated user simply navigates to the restricted URL, and the missing authorization check allows the data to be displayed. Because the flaw does not involve remote code execution or privilege escalation, the likelihood of widespread exploitation remains low, though illicit disclosure of environment data is possible.

Generated by OpenCVE AI on May 9, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest HCL BigFix WebUI release that includes the authorization fix.
  • If a patch is not yet available, block or restrict direct access to the sensitive URL using web‑server configuration (e.g., .htaccess, Nginx rewrite rules) or an intermediate authorization layer.
  • Review all user accounts and remove any that have unnecessary rights to view environment information, enforcing least privilege.
  • Monitor web‑server logs for unauthorized attempts to access the restricted page and investigate any anomalies.

Generated by OpenCVE AI on May 9, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 05:30:00 +0000

Type Values Removed Values Added
Description A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page.
Title HCL BigFix WebUI is affected by a missing authorization vulnerability
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-09T05:05:33.534Z

Reserved: 2026-04-14T05:56:28.569Z

Link: CVE-2025-15634

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T06:16:09.130

Modified: 2026-05-09T06:16:09.130

Link: CVE-2025-15634

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T06:30:25Z

Weaknesses