CVSS: 6.1EPSS: 0%CPEs: 11EXPL: 0CVE-2014-0883 – IBM Power Hardware Management Console cross-site scripting
https://notcve.org/view.php?id=CVE-2014-0883
IBM Power HMC 7.1.0 through 7.8.0 and 7.3.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 91163. Vulnerabilidad de Cross-Site Scripting (XSS) en IBM Power Hardware Management Console (HMC) 7R7.1.0, 7R7.2.0, 7R7.3.0 hasta 7R7.3.5, 7R7.7.0 hasta SP3 y 7R7.8.0 anterior al SP1 permite que atacantes remotos inyecten scripts web o HTML arbitrarios mediante el nombre de usuario en la pantalla de inicio de sesión. IBM X-Force ID: 91163. • https://exchange.xforce.ibmcloud.com/vulnerabilities/91163 https://www.ibm.com/support/pages/security-bulletin-power-hardware-management-console-hmc-cve-2014-0883 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 9EXPL: 0CVE-2012-3296
https://notcve.org/view.php?id=CVE-2012-3296
Cross-site scripting (XSS) vulnerability in the Help link in the login panel in IBM Power Hardware Management Console (HMC) 7R7.1.0 before SP4, 7R7.2.0 before SP2, and 7R7.3.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en el enlace de Ayuda en el panel de inicio de sesión en IBM Power Hardware Management Console (HMC) v7R7.1.0 antes SP4, v7R7.2.0 antes de SP2 y 7R7.3.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML de su elección a través de vectores no especificados. • http://secunia.com/advisories/50376 http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_the_help_link_on_the_power_hmc_login_panel_is_susceptible_to_reflected_cross_site_scripting_cve_2012_329617 http://www.ibm.com/support/docview.wss?uid=isg1MB03488 http://www.ibm.com/support/docview.wss?uid=isg1MB03489 http://www.ibm.com/support/docview.wss?uid=isg1MB03494 http://www.ibm.com/support/fixcentral/firmware/readme?fixid=MH01253 http://www.ibm.com/support/fixcentral/firmware/readme • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2012-2188
https://notcve.org/view.php?id=CVE-2012-2188
IBM Power Hardware Management Console (HMC) 7R3.5.0 before SP4, 7R7.1.0 and 7R7.2.0 before 7R7.2.0 SP3, and 7R7.3.0 before SP2, and Systems Director Management Console (SDMC) 6R7.3.0 before SP2, does not properly restrict the VIOS viosrvcmd command, which allows local users to gain privileges via vectors involving a (1) $ (dollar sign) or (2) & (ampersand) character. IBM Power Hardware Management Console (HMC) v7R3.5.0 anteriores a vSP4, v7R7.1.0 y 7R7.2.0 anteriores a v7R7.2.0 SP3, y 7R7.3.0 anteriores a SP2, y Systems Director Management Console (SDMC) v6R7.3.0 anteriores a SP2, no restringe de forma adecuada el comando VIOS viosrvcmd, lo que permite a usuarios locales a obtener privilegios a través de vectores que implican los caracteres (1) $ (signo del dolar) o (2) & (ampersand). • http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_power_hmc_viosrvcmd_command_allows_elevated_privilege_on_vios_cve_2012_218825 http://www.ibm.com/support/docview.wss?uid=isg1MB03548 http://www.ibm.com/support/docview.wss?uid=isg1MB03550 http://www.ibm.com/support/docview.wss?uid=isg1MB03554 http://www.ibm.com/support/docview.wss?uid=isg1MB03580 https://exchange.xforce.ibmcloud.com/vulnerabilities/75906 • CWE-264: Permissions, Privileges, and Access Controls •