Description
A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources.
Published: 2026-05-27
Score: 4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A misconfigured Content Security Policy in the HCL BigFix Remote Control Server WebUI, affecting versions 10.1.0.0442 and earlier, omits fallbacks for certain directives. This omission permits an attacker to bypass the intended restrictions and load resources from unauthorized origins, undermining the protective barrier normally provided by CSP.

Affected Systems

The vulnerable component is the BigFix Remote Control Server WebUI from HCL Software. All releases up to and including version 10.1.0.0442 are affected; versions 10.1.0.0443 and later are not listed as vulnerable.

Risk and Exploitability

The CVSS score is 4, indicating a low to moderate severity. EPSS data is not available, and the vulnerability is not in the CISA KEV catalog. Exploitation would require access to the WebUI, which might be limited to internal users or exposed services. Since the vulnerability allows loading of arbitrary resources, an attacker with control over the request could potentially introduce malicious scripts into the client-side context, though no direct remote code execution is guaranteed.

Generated by OpenCVE AI on May 27, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an update to a version newer than 10.1.0.0442, which includes a corrected CSP configuration.
  • Review the CSP configuration for the WebUI to ensure all directives are defined with proper fallbacks and only trusted sources are permitted.
  • If an update is not immediately possible, constrain external access to the WebUI using network controls, such as limiting traffic to trusted hosts or blocking the endpoint.

Generated by OpenCVE AI on May 27, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources.
Title HCL BigFix Remote Control Server WebUI is affected by a misconfigured Content Security Policy
Weaknesses CWE-1021
References
Metrics cvssV3_1

{'score': 4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: HCL

Published:

Updated: 2026-05-27T20:15:56.441Z

Reserved: 2026-01-05T16:08:02.276Z

Link: CVE-2026-21785

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T21:16:17.327

Modified: 2026-05-27T21:16:17.327

Link: CVE-2026-21785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T23:15:35Z

Weaknesses