Cross-Site Scripting Vulnerability in IBM BladeCenter Advanced Management Module
CVE-2020-8339

4.3MEDIUM

Key Information:

Vendor
IBM
Vendor
CVE Published:
15 September 2020

Summary

A cross-site scripting inclusion vulnerability exists in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface, allowing exposed user credentials under specific conditions. This vulnerability can be exploited when an authenticated user visits a malicious site, potentially as a result of phishing tactics. The attack's success hinges on the user's network knowledge and requires the user to be logged into the AMM while accessing the malicious site, using a browser lacking inherent protection against such vulnerabilities. Notably, the exploitation does not execute JavaScript within the AMM itself, but rather operates through the user's session.

Affected Version(s)

BladeCenter AMM firmware < 3.68n [BPET68N]

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Lenovo thanks Cybersecurity lab, CS Dept, Lomonosov Moscow State University (SecLab@MSU) for reporting this issue.
.