CVE-2023-37520 — Cross-site Scripting in Bigfix Platform

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

CNA7.7

EPSS

0.2%

top 63.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Hcltech Bigfix Platform HCL Software HCL Bigfix Platform

Timeline

PublishedDec 21

Latest updateDec 22

Description

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9.5.12.68, allowing for potential data exfiltration. This XSS vulnerability is in the Gather Status Report, which is served by the BigFix Relay.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDhcltech/bigfix_platform9.5 — 9.5.23+2

▶CVEListV5hcl_software/hcl_bigfix_platform9.5.x, 10.0.x, 11.0.0

🔴Vulnerability Details

GHSA

GHSA-hrwf-qr34-wrcx: Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability identified in BigFix Server version 9↗2023-12-22

▶

CVEList

HCL BigFix Platform is affected by Unathenticated Stored Cross-Site Scripting (XSS)↗2023-12-21

▶