Description
HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.
Published: 2026-05-20
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HCL BigFix Service Management (SM) is vulnerable to a security misconfiguration due to a missing or insecure "X-Content-Type-Options" header. When this header is absent, browsers may perform MIME-type sniffing, causing malicious content to be interpreted and executed incorrectly. The weakness falls under CWE‑200 which relates to information disclosure and can lead to unintended code execution within the browser context.

Affected Systems

This issue affects HCL BigFix Service Management (SM). No specific product versions are listed in the data, so any installation of BigFix SM could be impacted until the header configuration is corrected.

Risk and Exploitability

The CVSS score of 3.7 indicates a low severity risk; exploitation requires a web client that accesses content from the vulnerable service, implying that an attacker must trick a user into visiting malicious content. The EPSS score of <1% suggests a very low probability of exploitation, and the vulnerability is not listed in CISA KEV.

Generated by OpenCVE AI on May 20, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure BigFix SM to send the "X-Content-Type-Options: nosniff" header for all HTTP responses
  • Apply the latest vendor patch or update that addresses the missing header misconfiguration
  • Deploy a reverse proxy that automatically adds the X-Content-Type-Options header to outbound responses

Generated by OpenCVE AI on May 20, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Hcltech
Hcltech bigfix Service Management
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:hcltech:bigfix_service_management:23.0:*:*:*:*:*:*:*
Vendors & Products Hcltech
Hcltech bigfix Service Management

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly.
Title HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:L'}

Subscriptions

Hcltech Bigfix Service Management
cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-20T12:50:45.836Z

Reserved: 2025-04-01T18:46:33.655Z

Link: CVE-2025-31985

cve-icon Vulnrichment

Updated: 2026-05-20T12:50:42.838Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-20T12:16:20.660

Modified: 2026-05-20T19:09:24.893

Link: CVE-2025-31985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T21:15:26Z

Weaknesses