CVE-2025-15633

Published May 9, 2026

Last updated 2 months ago

Overview

Description
An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.
Source
psirt@hcl.com
NVD status
Analyzed
Products
bigfix_webui_api, bigfix_webui_application_administration, bigfix_webui_cmep, bigfix_webui_common, bigfix_webui_content_app, bigfix_webui_custom, bigfix_webui_data_sync, bigfix_webui_extensions, bigfix_webui_framework, bigfix_webui_insights, bigfix_webui_ivr, bigfix_webui_mdm, bigfix_webui_patch, bigfix_webui_patch_policies, bigfix_webui_permissions_and_preferences, bigfix_webui_profile_management, bigfix_webui_query, bigfix_webui_reports, bigfix_webui_scm, bigfix_webui_software_distribution, bigfix_webui_take_action

Risk scores

CVSS 4.0

Type
Secondary
Base score
5.3
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

CVSS 3.1

Type
Primary
Base score
6.5
Impact score
3.6
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

psirt@hcl.com
CWE-863

Social media

Hype score
Not currently trending

Configurations