TROYANOSYVIRUS
Voltar para CVEs

CVE-2020-8339

MEDIUM
4.3

Descricao

A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user's AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user’s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.

Detalhes CVE

Pontuacao CVSS v3.14.3
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioREQUIRED
Publicado9/15/2020
Ultima modificacao11/21/2024
Fontenvd
Avistamentos honeypot0

Produtos afetados

ibm:bladecenter_advanced_management_moduleibm:bladecenter_advanced_management_module_firmware

Fraquezas (CWE)

CWE-522CWE-79

Referencias

https://support.lenovo.com/us/en/product_security/LEN-38385(psirt@lenovo.com)
https://support.lenovo.com/us/en/product_security/LEN-38385(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.