Cyber Security

HCL BigFix WebUI Flaw Redirect users to External Site

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation.

It can find and fix vulnerabilities on endpoints whether it be on-premises, cloud, or virtual environments, regardless of the operating system, location, or connectivity.

Recent reports from HCL states that a redirect flaw in the login page allowed threat actors to redirect the client browser to external sites. 

CVE-2023-28020​: URL redirection in the Login page in HCL BigFix WebUI

This flaw exists in the login page of HCL BigFix WebUI, which allows an attacker to redirect the client browser to an external site via a redirect URL response header.

The severity of this vulnerability is given as 4.3 (medium). 

HCL has released security patches for fixing this vulnerability along with several other vulnerabilities discovered by external researchers.

Other vulnerability patches

Several other vulnerabilities related to HCL BigFix that are patched, include

  • Prototype Pollution on SheetJS Community Edition before 0.19.3
  • SSRF Bypass on Node.js
  • Uncaught Exception triggers the killing of Node.js process
  • An uncaught Exception in socket.io kills the Node.js process
  • Authenticated users can do SQL queries via unparameterized SQL query
  • Weak Cipher Suites
  • Cross-Site Request Forgery allows access to server-side files

Affected Products and Fixed versions

WebUI Site NameFixed in Version
Application Administration31
Common79
Custom42
Insights19
Patch40
IVR7
Patch Policies36
Profile Management24
Query34
Software Distribution46
WebUI API17
WebUI Content App20
WebUI CMEP13
WebUI Data Sync24
WebUI Framework26
WebUI MDM18
WebUI Permissions and Preferences19
WebUI Reports15
WebUI Take Action27
WebUI SCM9
WebUI Extensions5

Users of these products are recommended to upgrade to the latest version to prevent threat actors.

Source: https://cybersecuritynews.com/hcl-bigfix-webui-flaw/

Click to comment

You May Also Like

Cyber Security

How a cornerstone cybersecurity program has evolved from information collection to active defense. The Cybersecurity and Infrastructure Security Agency has used its Continuous Diagnostics...

Cyber Security

Cybercriminals are increasingly leveraging extreme weather events to launch attacks on critical infrastructure sectors. Cybersecurity experts say critical infrastructure operators can leverage a set...

Cyber Security

A new report says a cyber threat actor within Russia’s military intelligence service leveraged a novel malware campaign targeting Android devices used by the...

Cyber Security

Malware leveraging flaws in edge routers has been spying on military contracting websites, according to research from Lumen’s Black Lotus Labs. Malware leveraging flaws...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO

Exit mobile version