XSSI Vulnerability in legacy IBM BladeCenter AMM - Lenovo Support US

**Lenovo Security Advisory:**LEN-38385

**Potential Impact:**Information disclosure

**Severity:**Medium

**Scope of Impact:**Lenovo-specific

**CVE Identifier:**CVE-2020-8339

Summary Description:

A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface. This vulnerability could allow an authenticated user’s AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing.

Successful exploitation requires specific knowledge about the user’s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.

Mitigation Strategy for Customers (what you should do to protect yourself):

Upgrade to IBM BladeCenter Advanced Management Module Firmware v3.68n [BPET68N] (or newer) from IBM Fix Central.

Acknowledgement:

Lenovo thanks Cybersecurity lab, CS Dept, Lomonosov Moscow State University (SecLab@MSU) for reporting this issue.

Revision History:

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.