The software may be vulnerable to both Un-Auth XML interaction and unauthenticated device enrollment.
5.3CVSS
5.3AI Score
0.001EPSS
The Master operator may be able to embed script tag in HTML with alert pop-up display cookie.
6.6CVSS
5AI Score
0.001EPSS
HCL BigFix Mobile / Modern Client Management Admin and Config UI passwords can be brute-forced.User should be locked out for multiple invalid attempts.
7.5CVSS
7.6AI Score
0.002EPSS
User generated PPKG file for Bulk Enroll may have unencrypted sensitive information exposed.
6.8CVSS
6.3AI Score
0.001EPSS
HCL BigFix Mobile is vulnerable to a command injection attack. An authenticated attacker could run arbitrary shell commands on the WebUI server.
8.8CVSS
8.9AI Score
0.001EPSS
HCL BigFix Mobile is vulnerable to a cross-site scripting attack. An authenticated attacker could inject malicious scripts into the application.
6.6CVSS
5.1AI Score
0.001EPSS