BigFix Modern Client Management (MCM)
by HCL Software
CVEs (6)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-27783 | Med | 0.44 | 6.8 | 0.00 | May 25, 2022 | User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed. | ||
| CVE-2023-28025 | Med | 0.43 | 6.6 | 0.00 | Dec 21, 2023 | Due to this vulnerability, the Master operator could potentially incorporate an SVG tag into HTML, leading to an alert pop-up displaying a cookie. To mitigate stored XSS vulnerabilities, a preventive measure involves thoroughly sanitizing and validating all user inputs before… | ||
| CVE-2021-27781 | Med | 0.43 | 6.6 | 0.00 | May 27, 2022 | The Master operator may be able to embed script tag in HTML with alert pop-up display cookie. | ||
| CVE-2021-27780 | Med | 0.35 | 5.3 | 0.01 | May 27, 2022 | The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment. | ||
| CVE-2025-0276 | 0.00 | — | 0.00 | Oct 16, 2025 | HCL BigFix Modern Client Management (MCM) 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content. | |||
| CVE-2025-0274 | 0.00 | — | 0.00 | Oct 16, 2025 | HCL BigFix Modern Client Management (MCM) 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions. |
- risk 0.44cvss 6.8epss 0.00
User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed.
- risk 0.43cvss 6.6epss 0.00
Due to this vulnerability, the Master operator could potentially incorporate an SVG tag into HTML, leading to an alert pop-up displaying a cookie. To mitigate stored XSS vulnerabilities, a preventive measure involves thoroughly sanitizing and validating all user inputs before…
- risk 0.43cvss 6.6epss 0.00
The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
- risk 0.35cvss 5.3epss 0.01
The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.
- CVE-2025-0276Oct 16, 2025risk 0.00cvss —epss 0.00
HCL BigFix Modern Client Management (MCM) 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.
- CVE-2025-0274Oct 16, 2025risk 0.00cvss —epss 0.00
HCL BigFix Modern Client Management (MCM) 3.3 and earlier is affected by improper access control. Unauthorized users can access a small subset of endpoint actions, potentially allowing access to select internal functions.