HCL BigFix WebUI Flaw Redirects User to External Site

HCL BigFix is an endpoint management platform that has the aptitude to automate discovery, management, and remediation.

It will perchance gain and repair vulnerabilities on endpoints, whether or no longer it be on-premises, cloud, or digital environments, no topic the operating machine, insist, or connectivity.

Fresh experiences from HCL states that a redirect flaw within the login web page allowed menace actors to redirect the shopper browser to external sites.

CVE-2023-28020​: URL redirection within the Login web page in HCL BigFix WebUI

This flaw exists within the login web page of HCL BigFix WebUI, which enables an attacker to redirect the shopper browser to an external living via a redirect URL response header.

The severity of this vulnerability is given as 4.3 (medium).

HCL has released safety patches for fixing this vulnerability alongside with several other vulnerabilities learned by external researchers.

Other vulnerability patches

Several other vulnerabilities connected to HCL BigFix which are patched, consist of

• Prototype Air pollution on SheetJS Personnel Model earlier than 0.19.3
• SSRF Bypass on Node.js
• Uncaught Exception triggers the killing of Node.js job
• An uncaught Exception in socket.io kills the Node.js job
• Authenticated users can discontinuance SQL queries via unparameterized SQL inquire
• Dilapidated Cipher Suites
• Spoiled-Space Demand of Forgery enables rep admission to to server-facet info

Affected Merchandise and Mounted variations

Users of those products are steered to pork as a lot as the most up-to-date version to prevent menace actors.