CVE-2020-8339

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user's AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user’s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.

Se reportó una vulnerabilidad de inclusión de tipo cross-site scripting (XSSI) en la interfaz web legacy de IBM BladeCenter Advanced Management Module (AMM) versiones anteriores a 3.68n [BPET68N]. Esta vulnerabilidad podría permitir que sean reveladas unas credenciales de AMM de un usuario autenticado si el usuario está convencido de visitar un sitio web malicioso, posiblemente por medio de phishing. Una explotación con éxito requiere un conocimiento específico sobre la red del usuario para ser incluido en el sitio web malicioso. El impacto es limitado a las restricciones de acceso normales del usuario que visita el sitio web malicioso y está sujeto a que el usuario inicie sesión en AMM, pueda conectarse tanto a AMM como al sitio web malicioso mientras el navegador web esté abierto y use un navegador web que no protege inherentemente contra esta clase de ataque. El código JavaScript no es ejecutado en AMM en sí

*Credits: Lenovo thanks Cybersecurity lab, CS Dept, Lomonosov Moscow State University (SecLab@MSU) for reporting this issue.

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-28 CVE Reserved
2020-09-15 CVE Published
2023-06-01 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-522: Insufficiently Protected Credentials

CAPEC

References (1)

URL	Tag	Source
https://support.lenovo.com/us/en/product_security/LEN-38385	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Ibm Search vendor "Ibm"	Bladecenter Advanced Management Module Firmware Search vendor "Ibm" for product "Bladecenter Advanced Management Module Firmware"	< 3.68n Search vendor "Ibm" for product "Bladecenter Advanced Management Module Firmware" and version " < 3.68n"	-	Affected	in	Ibm Search vendor "Ibm"	Bladecenter Advanced Management Module Search vendor "Ibm" for product "Bladecenter Advanced Management Module"	-	-	Safe