Description
HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception.
Published: 2026-05-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HCL BigFix Service Management introduces an information exposure flaw in its reporting module. Supplying a consumer_company value that is invalid or out of range triggers an unhandled error, leaking sensitive details about the requested report. This flaw aligns with CWE‑209, where improper exception handling reveals confidential data.

Affected Systems

The vulnerability affects HCL BigFix Service Management (SM). Specific versions or build numbers are not detailed in the available data, so any deployment of the product could potentially be impacted until a fix is applied.

Risk and Exploitability

The CVSS score of 5.3 places this issue in the medium‑risk zone, while the EPSS score is unreported and the vulnerability is not listed in the CISA KEV catalogue. This flaw allows an attacker to send crafted requests to the reporting endpoint, causing an unhandled exception that exposes information. The likely attack vector is remote via HTTP requests, based on the use of request parameters—but this is inferred from the description and not explicitly confirmed.

Generated by OpenCVE AI on May 6, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any vendor‑issued patch or firmware update for HCL BigFix Service Management.
  • Restrict access to the reporting feature so that only authenticated and authorized users can trigger report requests.
  • Implement input validation on the consumer_company parameter to reject invalid or out‑of‑range values before they reach the application logic.

Generated by OpenCVE AI on May 6, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception.
Title HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module
Weaknesses CWE-209
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-06T18:31:51.261Z

Reserved: 2025-04-01T18:46:19.517Z

Link: CVE-2025-31960

cve-icon Vulnrichment

Updated: 2026-05-06T18:31:46.404Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T19:16:35.480

Modified: 2026-05-06T19:20:52.837

Link: CVE-2025-31960

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T20:45:05Z

Weaknesses