HCL BigFix SCM Reporting removes vulnerable component
A security patch closes a vulnerability in HCL BigFix SCM Reporting. It can lead to the execution of malicious code.
(Image: Photon photo/Shutterstock.com)
Because support for the jQuery 1.x library implemented in HCL BigFix SCM Reporting has expired, the software no longer receives security updates, and a recently discovered security vulnerability remains open. The HCL BigFix developers have now removed the component.
Admins manage endpoints via HCL BigFix. In this context, SCM Reporting provides, among other things, analysis data for managed PCs.
The vulnerability
Videos by heise
As indicated in a warning message, the security vulnerability (CVE-2026-21821) is classified as “high” threat level. According to the brief description, attackers can exploit this for XSS attacks, leading to the execution of malicious code.
To prevent attacks, admins must install version 168 in the SCM Reporting settings. So far, there are no reports of attackers exploiting the vulnerability.
Admins of HCL BigFix currently have to update software more often. At the end of April, the manufacturer corrected flawed access controls in HCL BigFix Service Management with a fresh program version.
(des)
