Description
HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. .
Published: 2026-05-06
Score: 3.5 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because HCL BigFix Service Management does not remove EXIF metadata when users upload images. The absence of sanitization means that uploaded files may carry embedded data such as GPS coordinates, camera make or model, and timestamps. This data can expose confidential or private information about employees, clients, or service locations. The weakness corresponds to CWE-1230, which relates to insufficient sanitization resulting in information disclosure.

Affected Systems

The affected product is HCL BigFix Service Management from HCL Software. No specific version information is supplied by the CNA, so all versions currently in use may be vulnerable until an update is available. Administrators should verify whether the application serves uploaded image files and whether any filters apply to EXIF data.

Risk and Exploitability

The CVSS score of 3.5 indicates a low severity. No EPSS score is provided, suggesting no known exploitation data. The vulnerability is not listed in the CISA KEV catalog. Exploitation would involve uploading a crafted image containing location data, which the system then stores or displays to users, potentially disclosing sensitive geographic information. Attack likely requires relative user or service permissions to upload content but no remote code execution or system compromise is implied.

Generated by OpenCVE AI on May 6, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Implement server-side EXIF stripping for all image uploads using tools like ExifTool or built‑in libraries.
  • Disable public image upload functionality if not required for business processes.
  • Scan and remove metadata from stored images before they are made visible to end users.

Generated by OpenCVE AI on May 6, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. .
Title HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images.
Weaknesses CWE-1230
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-06T14:47:52.965Z

Reserved: 2025-04-01T18:46:19.517Z

Link: CVE-2025-31959

cve-icon Vulnrichment

Updated: 2026-05-06T14:47:49.712Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T15:16:05.870

Modified: 2026-05-06T19:00:48.330

Link: CVE-2025-31959

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses