BMC Control-M Vulnerability Allows Phishing Attacks via HTML Injection
CVE-2024-1606

5.4MEDIUM

Key Information:

Vendor: Bmc
Status: Control-m
Vendor: CVE Published:; 18 March 2024

What is CVE-2024-1606?

A vulnerability exists within BMC Control-M versions 9.0.20 and 9.0.21 that stems from inadequate input sanitization. This flaw allows authenticated users to manipulate generated web pages by injecting malicious HTML code. Such injections can mislead users into clicking deceptive hyperlinks that redirect to attacker-controlled websites, thereby facilitating potential phishing attacks. To address this security concern, BMC has released patches for the affected versions: 9.0.20.238 for the 9.0.20 branch and 9.0.21.200 for the 9.0.21 branch.

Affected Version(s)

Control-M 9.0.20 < 9.0.20.238

Control-M 9.0.21 < 9.0.21.200

References

https://cert.pl/posts/2024/03/CVE-2024-1604

third-party-advisory

https://cert.pl/en/posts/2024/03/CVE-2024-1604

third-party-advisory

https://www.bmc.com/it-solutions/control-m.html

product

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2024
Vulnerability Reserved
Feb 18, 2024

Credit

Maksymilian Kubiak [Afine Team]

Dawid Małecki [Afine Team]

JSON