ID CVE-2020-8339 Type cve Reporter cve@mitre.org Modified 2020-09-22T17:10:00
Description
A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user's AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user’s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.
{"id": "CVE-2020-8339", "bulletinFamily": "NVD", "title": "CVE-2020-8339", "description": "A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user's AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user\u2019s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.", "published": "2020-09-15T15:15:00", "modified": "2020-09-22T17:10:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8339", "reporter": "cve@mitre.org", "references": ["https://support.lenovo.com/us/en/product_security/LEN-38385"], "cvelist": ["CVE-2020-8339"], "type": "cve", "lastseen": "2020-12-09T22:03:18", "edition": 5, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "lenovo", "idList": ["LENOVO:PS500343-XSSI-VULNERABILITY-IN-LEGACY-IBM-BLADECENTER-AMM-NOSID", "LENOVO:PS500343-NOSID"]}], "modified": "2020-12-09T22:03:18", "rev": 2}, "score": {"value": 1.8, "vector": "NONE", "modified": "2020-12-09T22:03:18", "rev": 2}, "vulnersScore": 1.8}, "cpe": [], "affectedSoftware": [{"cpeName": "ibm:bladecenter_advanced_management_module_firmware", "name": "ibm bladecenter advanced management module firmware", "operator": "lt", "version": "3.68n"}], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": true}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "cpe23": [], "cwe": ["CWE-79"], "scheme": null, "affectedConfiguration": [{"cpeName": "ibm:bladecenter_advanced_management_module", "name": "ibm bladecenter advanced management module", "operator": "eq", "version": "-"}], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"children": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:o:ibm:bladecenter_advanced_management_module_firmware:3.68n:*:*:*:*:*:*:*", "versionEndExcluding": "3.68n", "vulnerable": true}], "operator": "OR"}, {"cpe_match": [{"cpe23Uri": "cpe:2.3:h:ibm:bladecenter_advanced_management_module:-:*:*:*:*:*:*:*", "vulnerable": false}], "operator": "OR"}], "operator": "AND"}]}}
{"lenovo": [{"lastseen": "2020-10-14T09:02:16", "bulletinFamily": "info", "cvelist": ["CVE-2020-8339"], "description": "**Lenovo Security Advisory: **LEN-38385\n\n**Potential Impact: **Information disclosure\n\n**Severity: **Medium\n\n**Scope of Impact: **Lenovo-specific\n\n**CVE Identifier: **CVE-2020-8339\n\n**Summary Description:**\n\nA cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface. This vulnerability could allow an authenticated user's AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing.\n\nSuccessful exploitation requires specific knowledge about the user\u2019s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.\n\n**Mitigation Strategy for Customers (what you should do to protect yourself):**\n\nUpgrade to IBM BladeCenter Advanced Management Module Firmware v3.68n [BPET68N] (or newer) from [IBM Fix Central](<https://www.ibm.com/support/fixcentral/>).\n\n**Acknowledgement:**\n\nLenovo thanks Cybersecurity lab, CS Dept, Lomonosov Moscow State University (SecLab@MSU) for reporting this issue.\n\n**Revision History:**\n\nRevision | Date | Description \n---|---|--- \n1 | 2020-09-08 | Initial release \n \nFor a complete list of all Lenovo Product Security Advisories, click [here](<https://support.lenovo.com//product_security/home>).\n\nFor the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an \u201cas is\u201d basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.\n", "edition": 16, "modified": "2020-09-08T14:03:47", "published": "2020-09-06T17:42:59", "id": "LENOVO:PS500343-NOSID", "href": "https://support.lenovo.com/us/en/product_security/ps500343", "title": "XSSI Vulnerability in legacy IBM BladeCenter AMM - Lenovo Support US", "type": "lenovo", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-24T01:27:24", "bulletinFamily": "info", "cvelist": ["CVE-2020-8339"], "description": "**Lenovo Security Advisory: **LEN-38385\n\n**Potential Impact: **Information disclosure\n\n**Severity: **Medium\n\n**Scope of Impact: **Lenovo-specific\n\n**CVE Identifier: **CVE-2020-8339\n\n**Summary Description:**\n\nA cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface. This vulnerability could allow an authenticated user's AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing.\n\nSuccessful exploitation requires specific knowledge about the user\u2019s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.\n\n**Mitigation Strategy for Customers (what you should do to protect yourself):**\n\nUpgrade to IBM BladeCenter Advanced Management Module Firmware v3.68n [BPET68N] (or newer) from [IBM Fix Central](<https://www.ibm.com/support/fixcentral/>).\n\n**Acknowledgement:**\n\nLenovo thanks Cybersecurity lab, CS Dept, Lomonosov Moscow State University (SecLab@MSU) for reporting this issue.\n\n**Revision History:**\n\nRevision | Date | Description \n---|---|--- \n1 | 2020-09-08 | Initial release \n \nFor a complete list of all Lenovo Product Security Advisories, click [here](<https://support.lenovo.com//product_security/home>).\n\nFor the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an \u201cas is\u201d basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.\n", "edition": 21, "modified": "2020-09-08T14:03:47", "published": "2020-09-06T17:42:59", "id": "LENOVO:PS500343-XSSI-VULNERABILITY-IN-LEGACY-IBM-BLADECENTER-AMM-NOSID", "href": "https://support.lenovo.com/us/en/product_security/ps500343-xssi-vulnerability-in-legacy-ibm-bladecenter-amm", "title": "XSSI Vulnerability in legacy IBM BladeCenter AMM - Lenovo Support US", "type": "lenovo", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
