HCLTech 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、パス処理の欠陥, and vendor risk csrf に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で vendor impact session compromise and ファイル上書き などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-52612 | HCL iControl was affected by Export CSV - CSV Injection vulnerability. It is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. . | [email protected] | 7.1 | 0.04% | 2026-06-04 | 2026-06-04 |
| CVE-2025-52611 | HCL iControl v4.0.0 was affected by Unhandled Exception - Stack Trace Disclosure vulnerability. The error occurs due to an undefined property being accessed in the application's JavaScript code. Specifically, the code attempts to read the property dashboard key from an object that is undefined. This issue likely stems from one of the following: A missing or improperly initialized object. | [email protected] | 3.1 | 0.03% | 2026-06-04 | 2026-06-04 |
| CVE-2025-52609 | HCL iControl was affected by Missing Security Headers vulnerability. which lead to cross-site scripting (XSS) attacks by enabling the built-in XSS filtering mechanisms of modern web browsers. | [email protected] | 3.7 | 0.05% | 2026-06-04 | 2026-06-04 |
| CVE-2025-52608 | HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root. | [email protected] | 3.1 | 0.02% | 2026-06-04 | 2026-06-04 |
| CVE-2025-52606 | HCL iControl was affected by Weak Input Validation vulnerability. This weakness is caused during implementation of an architectural security tactic. Received input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. | [email protected] | 4.3 | 0.03% | 2026-06-04 | 2026-06-04 |
| CVE-2025-31985 | HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly. | [email protected] | 3.7 | 0.03% | 2026-05-20 | 2026-05-20 |
| CVE-2025-31973 | HCL BigFix Service Management (SM) is susceptible to a Configuration – 'Insecure Use of Base Image Version'. Using outdated or insecure base images may introduce known vulnerabilities, potentially increasing the risk of exploitation in the application environment. | [email protected] | 4.0 | 0.01% | 2026-05-20 | 2026-05-20 |
| CVE-2025-15634 | A missing authorization vulnerability in HCL BigFix WebUI allows an authenticated user without proper permissions to view sensitive environmental information via direct URL access to the unauthorized page. | [email protected] | 5.3 | 0.03% | 2026-05-09 | 2026-05-14 |
| CVE-2025-15633 | An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers. | [email protected] | 5.3 | 0.04% | 2026-05-09 | 2026-05-14 |
| CVE-2025-31974 | HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized changes. | [email protected] | 3.9 | 0.03% | 2026-05-06 | 2026-05-11 |
| CVE-2025-31960 | HCL BigFix Service Management (SM) is vulnerable to information exposure due to improper error handling within its reporting module. It was observed that supplying an invalid or out-of-range value to the consumer_company parameter during a report-viewing request causes the application to trigger an unhandled exception. | [email protected] | 5.3 | 0.03% | 2026-05-06 | 2026-05-07 |
| CVE-2024-30151 | HCL BigFix Service Management (SX) is affected by a Broken Access Control vulnerability leading to privilege escalation. This could allow unauthorized users to gain elevated privileges, bypassing intended access restrictions. This may result in exposure of sensitive data or unauthorized system modifications | [email protected] | 8.3 | 0.04% | 2026-05-06 | 2026-05-07 |
| CVE-2025-52613 | HCL BigFix Service Management (SM) is affected by use of a vulnerable WSGI Server was identified. Deploying an outdated or insecure WSGI server may expose the application to known security weaknesses, potentially increasing the risk of exploitation and unauthorized access. | [email protected] | 4.6 | 0.06% | 2026-05-06 | 2026-05-07 |
| CVE-2025-31984 | HCL BigFix Service Management (SM) is affected by a security misconfiguration due to a missing or insecure “X-Content-Type-Options” header. This could allow browsers to perform MIME-type sniffing, potentially causing malicious content to be interpreted and executed incorrectly. | [email protected] | 3.7 | 0.03% | 2026-05-06 | 2026-05-07 |
| CVE-2025-31983 | HCL BigFix Service Management (SM) is affected by a security misconfiguration vulnerability due to CSP header. This could allow attackers to inject malicious scripts increasing the risk of cross-site scripting (XSS) and potential exposure of sensitive information. | [email protected] | 3.7 | 0.03% | 2026-05-06 | 2026-05-06 |
| CVE-2025-31982 | HCL BigFix Service Management (SM) had directories that were not linked or publicly visible but could be accessed directly. This could allow an increased risk of information disclosure or misuse of sensitive functionality. | [email protected] | 3.7 | 0.03% | 2026-05-06 | 2026-05-06 |
| CVE-2025-31978 | HCL BigFix Service Management (SM) does not adequately sanitize or safely render spreadsheet files (CSV, XLS, XLSX) before processing or distributing them. An attacker could populate data fields which, when saved to a CSV file, may attempt information exfiltration or other malicious activity when automatically executed by the spreadsheet software. Note that current versions of Excel warn users of untrusted content. | [email protected] | 4.6 | 0.03% | 2026-05-06 | 2026-05-07 |
| CVE-2025-31976 | HCL BigFix Service Management (SM) is vulnerable to insufficiently protected credentials for a short duration while communicating with a backend, internal application which could allow an attacker to potentially misuse them, if exfiltrated. . | [email protected] | 4.8 | 0.03% | 2026-05-06 | 2026-05-07 |
| CVE-2025-31975 | HCL BigFix Service Management (SM) is affected by an Information Disclosure – Server Banner issue was identified. Exposed server banners may reveal software versions and system details, potentially aiding attackers in targeting known vulnerabilities. | [email protected] | 2.6 | 0.01% | 2026-05-06 | 2026-05-07 |
| CVE-2025-31959 | HCL BigFix Service Management (SM) application fails to strip EXIF metadata from uploaded images. This could lead to confidentiality and privacy risks if sensitive location information is unintentionally shared. . | [email protected] | 3.5 | 0.03% | 2026-05-06 | 2026-05-07 |