BMC Control-M Vulnerability Allows Phishing Attacks via HTML Injection
CVE-2024-1606

5.4MEDIUM

Key Information:

Vendor

Bmc

Status
Control-m
Vendor
CVE Published:
18 March 2024

What is CVE-2024-1606?

A vulnerability exists within BMC Control-M versions 9.0.20 and 9.0.21 that stems from inadequate input sanitization. This flaw allows authenticated users to manipulate generated web pages by injecting malicious HTML code. Such injections can mislead users into clicking deceptive hyperlinks that redirect to attacker-controlled websites, thereby facilitating potential phishing attacks. To address this security concern, BMC has released patches for the affected versions: 9.0.20.238 for the 9.0.20 branch and 9.0.21.200 for the 9.0.21 branch.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Control-M 9.0.20 < 9.0.20.238

Control-M 9.0.21 < 9.0.21.200

References

https://cert.pl/posts/2024/03/CVE-2024-1604
third-party-advisory
https://cert.pl/en/posts/2024/03/CVE-2024-1604
third-party-advisory
https://www.bmc.com/it-solutions/control-m.html
product

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Maksymilian Kubiak [Afine Team]
Dawid Małecki [Afine Team]
JSON
.