{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-15633","assignerOrgId":"1e47fe04-f25f-42fa-b674-36de2c5e3cfc","state":"PUBLISHED","assignerShortName":"HCL","dateReserved":"2026-04-14T05:56:25.354Z","datePublished":"2026-05-09T04:58:55.241Z","dateUpdated":"2026-05-11T17:30:11.814Z"},"containers":{"cna":{"providerMetadata":{"orgId":"1e47fe04-f25f-42fa-b674-36de2c5e3cfc","shortName":"HCL","dateUpdated":"2026-05-09T04:58:55.241Z"},"title":"HCL BigFix WebUI is affected by an improper authorization vulnerability","datePublic":"2026-05-09T03:56:00.000Z","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-863","description":"CWE-863 Incorrect Authorization","type":"CWE"}]}],"affected":[{"vendor":"HCLSoftware","product":"BigFix WebUI","versions":[{"status":"affected","version":"all versions"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator&nbsp;privileges to access internal data (site names, versions, and configuration variables) and bypass privilege requirements via unprotected endpoints lacking adequate security headers.</p>"}]}],"references":[{"url":"https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0130587"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","subConfidentialityImpact":"LOW","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","version":"4.0","baseSeverity":"MEDIUM","baseScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"}}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 1.0.2"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-11T17:29:56.867689Z","id":"CVE-2025-15633","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-11T17:30:11.814Z"}}]}}