CVE-2020-8339
https://notcve.org/view.php?id=CVE-2020-8339
A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user's AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user’s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself. • https://support.lenovo.com/us/en/product_security/LEN-38385 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-522: Insufficiently Protected Credentials •
CVE-2016-8232
https://notcve.org/view.php?id=CVE-2016-8232
Document Object Model-(DOM) based cross-site scripting vulnerability in the Advanced Management Module (AMM) versions earlier than 66Z of Lenovo IBM BladeCenter HS22, HS22V, HS23, HS23E, HX5 allows an unauthenticated attacker with access to the AMM's IP address to send a crafted URL that could inject a malicious script to access a user's AMM data such as cookies or other session information. Vulnerabilidad de XSS basada en Document Object Model-(DOM) en Advanced Management Module (AMM) versiones anteriores a 66Z de Lenovo IBM BladeCenter HS22, HS22V, HS23, HS23E, HX5 permite a un atacante no autenticado con acceso a la dirección IP de AMM mandar una URL manipulada que podría inyectar un scrip malicioso para acceder a los datos AMM de un usuario como cookies u otra información de la sesión. • http://www.securityfocus.com/bid/95839 https://exchange.xforce.ibmcloud.com/vulnerabilities/121443 https://support.lenovo.com/us/en/product_security/LEN-5700 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2013-4007 – IBM Advanced Management Module Cross Site Scripting
https://notcve.org/view.php?id=CVE-2013-4007
Cross-site scripting (XSS) vulnerability in adv_sw.php in the Advanced Management Module (AMM) with firmware BBET before BBET64G and BPET before BPET64G for IBM BladeCenter systems allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Vulnerabilidad Cross-site scripting (XSS) en adv_sw.php en Advanced Management Module (AMM) con firmware BBET anterior a BBET64G y BPET anterior a BPET64G para sistemas IBM BladeCenter, permite a atacantes remotos inyectar web scripts arbitrarios o HTML mediante vectores desconocidos. • http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5093491 https://exchange.xforce.ibmcloud.com/vulnerabilities/85274 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2010-2656 – IBM Bladecenter Management - Multiple Web Application Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-2656
The IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, and possibly other versions before 4.7 and 5.0, stores sensitive information under the web root with insufficient access control, which allows remote attackers to download (1) logs or (2) core files via direct requests, as demonstrated by a request for private/sdc.tgz. El BladeCenter de IBM con Advanced Management Module (AMM) firmware build ID BPET48L, y posiblemente otras versiones anteriores a v4.7 y v5.0, almacena información sensible bajo la raíz web con insuficiente control de acceso, lo cual permite a los atacantes remotos descargar (1) logs o (2) archivos del núcleo mediante una petición directa, como se ha demostrado mediante una petición para private/sdc.tgz. • https://www.exploit-db.com/exploits/14237 http://dsecrg.com/pages/vul/show.php?id=154 http://osvdb.org/66123 http://www.exploit-db.com/exploits/14237 http://www.securityfocus.com/bid/41383 • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2010-2654 – IBM Bladecenter Management - Multiple Web Application Vulnerabilities
https://notcve.org/view.php?id=CVE-2010-2654
Multiple cross-site scripting (XSS) vulnerabilities on the IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, and possibly other versions before 4.7 and 5.0, allow remote attackers to inject arbitrary web script or HTML via the (1) INDEX or (2) IPADDR parameter to private/cindefn.php, (3) the domain parameter to private/power_management_policy_options.php, the slot parameter to (4) private/pm_temp.php or (5) private/power_module.php, (6) the WEBINDEX parameter to private/blade_leds.php, or (7) the SLOT parameter to private/ipmi_bladestatus.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en el BladeCenter de IBM con Advanced Management Module (AMM) firmware build ID BPET48L, y posiblemente otras versiones anteriores a v4.7 y v5.0, permiten a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro (1) INDEX o (2) IPADDR a private/cindefn.php, (3) el parámetro dominio a private/power_management_policy_options.php, el parámetro slot a (4) private/pm_temp.php o (5) private/power_module.php, (6) el parámetro WEBINDEX a private/blade_leds.php, o (7) el parámetro SLOT a private/ipmi_bladestatus.php. • https://www.exploit-db.com/exploits/14237 http://dsecrg.com/pages/vul/show.php?id=154 http://osvdb.org/66122 http://osvdb.org/66125 http://osvdb.org/66126 http://osvdb.org/66127 http://osvdb.org/66128 http://osvdb.org/66129 http://osvdb.org/66130 http://www.exploit-db.com/exploits/14237 http://www.securityfocus.com/bid/41383 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •