Description
HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information.
Published: 2026-05-06
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a misconfiguration of the Content Security Policy (CSP) header that allows attackers to inject malicious scripts into the web interface. This flaw exposes the application to classic cross‑site scripting attacks, which could let an adversary steal session tokens, read confidential data, or modify the user experience. The weakness is classified as CWE‑358, highlighting that the issue stems from improper configuration management rather than a coding bug.

Affected Systems

The problem occurs in HCL BigFix Service Management (SM). No specific version range was supplied, so all installations of the product are potentially affected until the vendor releases a fix or configuration guidance.

Risk and Exploitability

The CVSS score of 3.7 indicates a low‑to‑moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Because the attack vector is not explicitly stated, it is inferred to be a web‑based exploitation that requires an authenticated or unauthenticated user to access the service management console. Without a patched or properly configured CSP header, the risk remains that an attacker could execute arbitrary JavaScript in the context of legitimate users.

Generated by OpenCVE AI on May 6, 2026 at 16:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restore a patched version of HCL BigFix Service Management that includes the CSP header fix.
  • Configure the CSP header to a strict policy, allowing only trusted script sources and disabling ‘unsafe-inline’ and ‘eval’.
  • Validate that the CSP header is active by testing the console for script injection attempts and verify that no inline scripts execute.

Generated by OpenCVE AI on May 6, 2026 at 16:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information.
Title HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header
Weaknesses CWE-358
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-06T14:49:05.461Z

Reserved: 2025-04-01T18:46:33.655Z

Link: CVE-2025-31983

cve-icon Vulnrichment

Updated: 2026-05-06T14:49:00.359Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T15:16:07.783

Modified: 2026-05-06T19:00:48.330

Link: CVE-2025-31983

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:45:07Z

Weaknesses