Cross-Site Scripting Vulnerability in IBM and Lenovo System x IMM2
CVE-2020-8340
Key Information:
- Vendor
- Lenovo
- Status
- System X Imm2 Firmware For: X240, Machine Types: 7162, 2588; X440, Machine Type 7167, 2590 ; X3750 M4, Machine Type: 8753 ; X3250 M6, Machine Type 3633, 3943 ; Nx360 M5, Machine Type 5465, 5467 ; X280/x480/x880 X6 , Machine Type 7196, 4258 ; X3850 X6 And X3950 X6, Machine Type 6241 ; X3550 M5, Machine Type 5463, 8869 ; X3650 M5, Machine Type 5462, 8871; X3500 M5, Machine Type 5464, 5478
- System X Imm2 Firmware For X240 M5, Machine Types: 9532, 2591
- System X Imm2 Firmware
- Vendor
- CVE Published:
- 15 September 2020
Summary
A cross-site scripting (XSS) vulnerability was identified in the embedded Baseboard Management Controller (BMC) web interface of IBM and Lenovo System x IMM2, prior to version 5.60. This issue can potentially allow an attacker to execute malicious JavaScript code in a victim's web browser by convincing them to access a specially crafted URL, which may be delivered through phishing tactics. The risk of successful exploitation is contingent upon the attacker possessing specific knowledge related to the user’s network, and the affected user's access rights and authentication status. Notably, the JavaScript is executed in the user's environment and does not affect the IMM2 system itself.
Affected Version(s)
System x IMM2 firmware < 5.60
System x IMM2 firmware for x240 M5, Machine Types: 9532, 2591 < 5.61
System x IMM2 firmware for: x240, Machine Types: 7162, 2588; x440, Machine Type 7167, 2590 ; x3750 M4, Machine Type: 8753 ; x3250 M6, Machine type 3633, 3943 ; nx360 M5, Machine type 5465, 5467 ; x280/x480/x880 X6 , Machine Type 7196, 4258 ; x3850 X6 and x3950 X6, Machine type 6241 ; x3550 M5, Machine Type 5463, 8869 ; x3650 M5, Machine Type 5462, 8871; x3500 M5, Machine Type 5464, 5478 < 5.60
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved