Security Bulletin: Vulnerability in IBM Advanced Management Module (CVE-2013-4007)

Summary

Cross-Site Scripting (XSS) vulnerability is found in adv_sw.php page of IBM advanced Management Module.

Vulnerability Details

Abstract

Cross-Site Scripting (XSS) vulnerability is found in adv_sw.php page of IBM advanced Management Module.

Vulnerabily Details:****| CVE ID: CVE-2013-4007

Description:

A remote attacker could exploit this vulnerability to execute a script in a victim’s web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. This attack does require that the user clicking the vulnerable link be authenticated with a valid user ID and password.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/85274&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products:

AMM FW versions before BPET64G, BBET64G

Remediation:

The recommended solution is to apply the fix to all previous versions as soon as practical. Please see below for information on the fixes available

Fix:

Update AMM firmware version to BPET64G and BBET64G. Firmware can be downloaded from IBM Fix Central.

Workaround(s) & Mitigation(s):

None

References:

Complete CVSS Guide
On-line Calculator V2
CVE-2013-4007
<http://xforce.iss.net/xforce/xfdb/85274&gt;

Related Information:

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
IBM Fix Central

Acknowledgement:

This vulnerability was reported to IBM by Jens Regel of Schneider & Wulf EVD-Beratung.

Change History:

12 August 2013: Original copy published