Description
HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.
Published: 2026-05-06
Score: 3.7 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HCL BigFix Service Management (SM) suffers a security misconfiguration: the "X-Content-Type-Options" header is missing or set insecurely. Without this header, web browsers may perform MIME‑type sniffing, interpreting served content as a different type than declared. This flaw enables an attacker to deliver content that browsers will execute incorrectly, such as scripts masquerading as harmless data. The weakness falls under CWE‑200, indicating a lack of proper header configuration and the risk of unintended content processing.

Affected Systems

The affected product is HCL BigFix Service Management (SM). No specific version information is available in the current data. The vulnerability applies to all deployments exposing the web interface of this product.

Risk and Exploitability

The CVSS score of 3.7 describes a moderate risk; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not a widely exploited or actively targeted flaw. The likely attack vector involves users’ browsers interacting with the web interface of BigFix SM, where a malicious actor can craft a request that returns content with an improper content‑type. Exploitation requires the victim’s browser to load this content; thus, it is a client‑side vulnerability reliant on the user’s environment. Given these conditions, the overall risk remains moderate but warrants timely remediation.

Generated by OpenCVE AI on May 6, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure the application or web server to send the "X-Content-Type-Options: nosniff" header on all HTTP responses
  • Validate and enforce correct content‑type headers for every resource served by BigFix SM
  • If a vendor‑supplied patch or update is available, apply it as the definitive fix
  • As a temporary workaround, set the header via a reverse proxy or load balancer monitoring all outbound traffic

Generated by OpenCVE AI on May 6, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.
Title HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-06T14:48:38.299Z

Reserved: 2025-04-01T18:46:33.655Z

Link: CVE-2025-31984

cve-icon Vulnrichment

Updated: 2026-05-06T14:48:34.477Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-06T15:16:07.900

Modified: 2026-05-06T19:00:48.330

Link: CVE-2025-31984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T16:00:06Z

Weaknesses