VYPR

Hcl Bigfix Webui

by HCL Software

CVEs (10)

  • CVE-2025-52647MedOct 10, 2025
    risk 0.40cvss 6.1epss 0.00

    The BigFix WebUI application responds with HOST information from the HTTP header field making it vulnerable to Host Header Poisoning Attacks.

  • CVE-2023-28023Jul 18, 2023
    risk 0.00cvss epss 0.00

    A cross site request forgery vulnerability in the BigFix WebUI Software Distribution interface site version 44 and before allows an NMO attacker to access files on server side systems (server machine and all the ones in its network). 

  • CVE-2023-28021Jul 18, 2023
    risk 0.00cvss epss 0.00

    The BigFix WebUI uses weak cipher suites.

  • CVE-2023-28020Jul 18, 2023
    risk 0.00cvss epss 0.00

     URL redirection in Login page in HCL BigFix WebUI allows malicious user to redirect the client browser to an external site via redirect URL response header.

  • CVE-2023-28019Jul 18, 2023
    risk 0.00cvss epss 0.00

    Insufficient validation in Bigfix WebUI API App site version < 14 allows an authenticated WebUI user to issue SQL queries via an unparameterized SQL query.

  • CVE-2022-38655Dec 20, 2022
    risk 0.00cvss epss 0.00

    BigFix WebUI non-master operators are missing controls that prevent them from being able to modify the relevance of fixlets or to deploy fixlets from the BES Support external site.

  • CVE-2022-27545Jul 19, 2022
    risk 0.00cvss epss 0.00

    BigFix Web Reports authorized users may perform HTML injection for the email administrative configuration page.

  • CVE-2022-27544Jul 19, 2022
    risk 0.00cvss epss 0.00

    BigFix Web Reports authorized users may see SMTP credentials in clear text.

  • CVE-2021-27764May 6, 2022
    risk 0.00cvss epss 0.01

    Cookie without HTTPONLY flag set. NUMBER cookie(s) was set without Secure or HTTPOnly flags. The images show the cookie with the missing flag. (WebUI)

  • CVE-2020-4104Jul 17, 2020
    risk 0.00cvss epss 0.01

    HCL BigFix WebUI is vulnerable to stored cross-site scripting (XSS) within the Apps->Software module. An attacker can use XSS to send a malicious script to an unsuspecting user. This affects all versions prior to latest releases as specified in…