CVE-2013-6718
https://notcve.org/view.php?id=CVE-2013-6718
The Advanced Management Module (AMM) with firmware 3.64B, 3.64C, and 3.64G for IBM BladeCenter systems allows remote attackers to discover account names and passwords via use of an unspecified interface. Advanced Management Module (AMM) con firmware 3.64B, 3.64C, y 3.64G para sistemas IBM BladeCenter permite a atacantes remotos descubrir nombres de cuentas y contraseñas a través del uso de una interfaz no especificada. • http://osvdb.org/100397 http://secunia.com/advisories/55921 http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_bladecenter_advanced_management_module_account_information_exposure_cve_2013_6718 http://www.securityfocus.com/bid/64032 https://exchange.xforce.ibmcloud.com/vulnerabilities/89174 • CWE-310: Cryptographic Issues •
CVE-2013-4007 – IBM Advanced Management Module Cross Site Scripting
https://notcve.org/view.php?id=CVE-2013-4007
Cross-site scripting (XSS) vulnerability in adv_sw.php in the Advanced Management Module (AMM) with firmware BBET before BBET64G and BPET before BPET64G for IBM BladeCenter systems allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-site scripting (XSS) en adv_sw.php en Advanced Management Module (AMM) con firmware BBET anterior a BBET64G y BPET anterior a BPET64G para sistemas IBM BladeCenter, permite a atacantes remotos inyectar web scripts arbitrarios o HTML mediante vectores desconocidos. • http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5093491 https://exchange.xforce.ibmcloud.com/vulnerabilities/85274 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-2656 – IBM Bladecenter Management - Multiple Web Application Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-2656
The IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, and possibly other versions before 4.7 and 5.0, stores sensitive information under the web root with insufficient access control, which allows remote attackers to download (1) logs or (2) core files via direct requests, as demonstrated by a request for private/sdc.tgz. El BladeCenter de IBM con Advanced Management Module (AMM) firmware build ID BPET48L, y posiblemente otras versiones anteriores a v4.7 y v5.0, almacena información sensible bajo la raíz web con insuficiente control de acceso, lo cual permite a los atacantes remotos descargar (1) logs o (2) archivos del núcleo mediante una petición directa, como se ha demostrado mediante una petición para private/sdc.tgz. • https://www.exploit-db.com/exploits/14237 http://dsecrg.com/pages/vul/show.php?id=154 http://osvdb.org/66123 http://www.exploit-db.com/exploits/14237 http://www.securityfocus.com/bid/41383 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-2654 – IBM Bladecenter Management - Multiple Web Application Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-2654
Multiple cross-site scripting (XSS) vulnerabilities on the IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, and possibly other versions before 4.7 and 5.0, allow remote attackers to inject arbitrary web script or HTML via the (1) INDEX or (2) IPADDR parameter to private/cindefn.php, (3) the domain parameter to private/power_management_policy_options.php, the slot parameter to (4) private/pm_temp.php or (5) private/power_module.php, (6) the WEBINDEX parameter to private/blade_leds.php, or (7) the SLOT parameter to private/ipmi_bladestatus.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en el BladeCenter de IBM con Advanced Management Module (AMM) firmware build ID BPET48L, y posiblemente otras versiones anteriores a v4.7 y v5.0, permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro (1) INDEX o (2) IPADDR a private/cindefn.php, (3) el parámetro dominio a private/power_management_policy_options.php, el parámetro slot a (4) private/pm_temp.php o (5) private/power_module.php, (6) el parámetro WEBINDEX a private/blade_leds.php, o (7) el parámetro SLOT a private/ipmi_bladestatus.php. • https://www.exploit-db.com/exploits/14237 http://dsecrg.com/pages/vul/show.php?id=154 http://osvdb.org/66122 http://osvdb.org/66125 http://osvdb.org/66126 http://osvdb.org/66127 http://osvdb.org/66128 http://osvdb.org/66129 http://osvdb.org/66130 http://www.exploit-db.com/exploits/14237 http://www.securityfocus.com/bid/41383 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-2655 – IBM Bladecenter Management - Multiple Web Application Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-2655
Directory traversal vulnerability in private/file_management.php on the IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, and possibly other versions before 4.7 and 5.0, allows remote authenticated users to list arbitrary directories and possibly have unspecified other impact via a .. (dot dot) in the DIR parameter. Vulnerabilidad de salto de directorio en private/file_management.php en el BladeCenter de IBM con el Advanced Management Module (AMM) firmware build ID BPET48L, y posiblemente otras versiones antes de v4.7 y v5.0, permite a usuarios remotos autenticados listar directorios a su elección y posiblemente tener otro impacto no especificado a través de un .. (punto punto) en el parámetro DIR. • https://www.exploit-db.com/exploits/14237 http://dsecrg.com/pages/vul/show.php?id=154 http://osvdb.org/66124 http://www.exploit-db.com/exploits/14237 http://www.securityfocus.com/bid/41383 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •