HCL BigFix Remote Control Server WebUI is affected by a misconfigured Content Security Policy
Summary
| CVE | CVE-2026-21785 |
|---|---|
| State | PUBLISHED |
| Assigner | HCL |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-27 21:16:17 UTC |
| Updated | 2026-06-01 18:04:45 UTC |
| Description | A misconfigured Content Security Policy (CSP) in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0442 and earlier) fails to define directives without fallbacks, allowing attackers to bypass intended security restrictions and load unauthorized resources. |
Risk And Classification
Primary CVSS: v3.1 4 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
EPSS: 0.000230000 probability, percentile 0.069020000 (date 2026-06-01)
Problem Types: CWE-1021 | CWE-1021 CWE-1021 Improper restriction of rendered UI layers or frames
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 4 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N |
| 3.1 | CNA | CVSS | 4 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
HighUser Interaction
RequiredScope
ChangedConfidentiality
LowIntegrity
LowAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | HCLSoftware | BigFix Remote Control Server | affected <= versions 10.1.0.0442 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| support.hcl-software.com/csm | [email protected] | support.hcl-software.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.