An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.
References
| Link | Resource |
|---|---|
| https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587 | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
14 May 2026, 20:28
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Hcltech
Hcltech bigfix Webui Application Administration Hcltech bigfix Webui Cmep Hcltech bigfix Webui Framework Hcltech bigfix Webui Profile Management Hcltech bigfix Webui Ivr Hcltech bigfix Webui Query Hcltech bigfix Webui Patch Policies Hcltech bigfix Webui Custom Hcltech bigfix Webui Scm Hcltech bigfix Webui Take Action Hcltech bigfix Webui Permissions And Preferences Hcltech bigfix Webui Extensions Hcltech bigfix Webui Api Hcltech bigfix Webui Content App Hcltech bigfix Webui Reports Hcltech bigfix Webui Common Hcltech bigfix Webui Data Sync Hcltech bigfix Webui Insights Hcltech bigfix Webui Patch Hcltech bigfix Webui Software Distribution Hcltech bigfix Webui Mdm |
|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| References | () https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587 - Vendor Advisory | |
| CPE | cpe:2.3:a:hcltech:bigfix_webui_reports:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_patch:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_take_action:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_data_sync:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_profile_management:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_api:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_insights:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_content_app:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_permissions_and_preferences:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_cmep:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_query:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_application_administration:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_common:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_patch_policies:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_software_distribution:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_mdm:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_ivr:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_framework:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_extensions:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_custom:*:*:*:*:*:*:*:* cpe:2.3:a:hcltech:bigfix_webui_scm:*:*:*:*:*:*:*:* |
09 May 2026, 06:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-09 06:16
Updated : 2026-05-14 20:28
NVD link : CVE-2025-15633
Mitre link : CVE-2025-15633
CVE.ORG link : CVE-2025-15633
JSON object : View
Products Affected
hcltech
- bigfix_webui_content_app
- bigfix_webui_framework
- bigfix_webui_extensions
- bigfix_webui_insights
- bigfix_webui_reports
- bigfix_webui_software_distribution
- bigfix_webui_api
- bigfix_webui_query
- bigfix_webui_permissions_and_preferences
- bigfix_webui_cmep
- bigfix_webui_patch_policies
- bigfix_webui_take_action
- bigfix_webui_scm
- bigfix_webui_custom
- bigfix_webui_data_sync
- bigfix_webui_mdm
- bigfix_webui_patch
- bigfix_webui_ivr
- bigfix_webui_application_administration
- bigfix_webui_common
- bigfix_webui_profile_management
CWE
CWE-863
Incorrect Authorization