Cross-Site Scripting Vulnerability in IBM BladeCenter Advanced Management Module
CVE-2020-8339

4.3MEDIUM

Key Information:

Vendor: IBM
Status: Bladecenter Amm Firmware
Vendor: CVE Published:; 15 September 2020

Summary

A cross-site scripting inclusion vulnerability exists in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface, allowing exposed user credentials under specific conditions. This vulnerability can be exploited when an authenticated user visits a malicious site, potentially as a result of phishing tactics. The attack's success hinges on the user's network knowledge and requires the user to be logged into the AMM while accessing the malicious site, using a browser lacking inherent protection against such vulnerabilities. Notably, the exploitation does not execute JavaScript within the AMM itself, but rather operates through the user's session.

Affected Version(s)

BladeCenter AMM firmware < 3.68n [BPET68N]

References

https://support.lenovo.com/us/en/product_security/LEN-38385

x_refsource_MISC

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 15, 2020
Vulnerability Reserved
Jan 28, 2020

Credit

Lenovo thanks Cybersecurity lab, CS Dept, Lomonosov Moscow State University (SecLab@MSU) for reporting this issue.