CVE-2023-37527: 
HCL BigFix Server vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability (CVE-2023-37527) was identified in the Web Reports component of HCL BigFix Platform. The vulnerability was disclosed on February 2, 2024, affecting versions 9.5 through 9.5.24, 10.0.0 through 10.0.11, and 11.0.0 (NVD CVE).

The vulnerability allows an attacker to execute malicious JavaScript code in the application session or database through remote injection while rendering content in a web page. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) by NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, no privileges required, and user interaction required (NVD CVE).

If exploited, this vulnerability could lead to the execution of malicious JavaScript code in the user's browser session or the application's database, potentially compromising confidentiality and integrity of the affected system. The CVSS metrics indicate low impacts on both confidentiality and integrity, with no impact on availability (NVD CVE).

The vulnerability affects HCL BigFix Platform versions 9.5 through 9.5.24, 10.0.0 through 10.0.11, and 11.0.0. Users should upgrade to the latest patched version as recommended by HCL Software (NVD CVE).