Description
HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability. This could lead to unauthorized changes or exposure of sensitive data.
Published: 2026-05-06
Score: 2.6 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HCL BigFix Service Management is vulnerable to Cross‑Site Request Forgery. An attacker can cause a logged‑in user to perform privileged actions or expose sensitive data without the user’s knowledge. The vulnerability stems from missing CSRF protections on state‑changing operations (CWE‑352).

Affected Systems

The affected product is HCL Software BigFix Service Management (SM). No specific version information is listed, so all currently deployed instances should be treated as potentially vulnerable until confirmed otherwise.

Risk and Exploitability

The CVSS score of 2.6 indicates a relatively low severity, and the issue is not listed in CISA's KEV catalog. Exploitation requires a user with valid credentials to inadvertently submit a malicious request; an attacker can provoke this by sending the victim a link or embedding a crafted form. Successful exploitation can lead to unauthorized data modifications or disclosure limited to the victim’s permission scope.

Generated by OpenCVE AI on May 6, 2026 at 15:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-defined patch or upgrade to the newest BigFix Service Management release that addresses the CSRF flaw.
  • If an immediate patch is not available, restrict or disable the endpoints that allow state‑changing operations vulnerable to CSRF.
  • Ensure that all state‑changing requests validate a unique anti‑CSRF token that is bound to the user’s session and that requests from untrusted origins are rejected.
  • Monitor application logs for unexpected state‑changing requests originating from untrusted sources to detect potential exploitation attempts.

Generated by OpenCVE AI on May 6, 2026 at 15:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability. This could lead to unauthorized changes or exposure of sensitive data.
Title HCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability.
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-06T14:50:06.147Z

Reserved: 2025-04-01T18:46:19.517Z

Link: CVE-2025-31957

cve-icon Vulnrichment

Updated: 2026-05-06T14:50:00.468Z

cve-icon NVD

Status : Received

Published: 2026-05-06T15:16:05.750

Modified: 2026-05-06T15:16:05.750

Link: CVE-2025-31957

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses