CVE-2020-8339 (GCVE-0-2020-8339)
Vulnerability from cvelistv5 – Published: 2020-09-15 14:20 – Updated: 2024-09-16 17:49
VLAI
Summary
A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user's AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user’s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.
Severity
4.3 (Medium)
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://support.lenovo.com/us/en/product_security… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | BladeCenter AMM firmware |
Affected:
unspecified , < 3.68n [BPET68N]
(custom)
|
Date Public
2020-09-15 00:00
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T09:56:28.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://support.lenovo.com/us/en/product_security/LEN-38385"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "BladeCenter AMM firmware",
"vendor": "IBM",
"versions": [
{
"lessThan": "3.68n [BPET68N]",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Lenovo thanks Cybersecurity lab, CS Dept, Lomonosov Moscow State University (SecLab@MSU) for reporting this issue."
}
],
"datePublic": "2020-09-15T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user\u0027s AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user\u2019s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-15T14:20:17.000Z",
"orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"shortName": "lenovo"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://support.lenovo.com/us/en/product_security/LEN-38385"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to IBM BladeCenter Advanced Management Module Firmware v3.68n [BPET68N] (or newer) from IBM Fix Central."
}
],
"source": {
"advisory": "LEN-38385",
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "psirt@lenovo.com",
"DATE_PUBLIC": "2020-09-15T16:00:00.000Z",
"ID": "CVE-2020-8339",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "BladeCenter AMM firmware",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "3.68n [BPET68N]"
}
]
}
}
]
},
"vendor_name": "IBM"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Lenovo thanks Cybersecurity lab, CS Dept, Lomonosov Moscow State University (SecLab@MSU) for reporting this issue."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user\u0027s AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user\u2019s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522 Insufficiently Protected Credentials"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://support.lenovo.com/us/en/product_security/LEN-38385",
"refsource": "MISC",
"url": "https://support.lenovo.com/us/en/product_security/LEN-38385"
}
]
},
"solution": [
{
"lang": "en",
"value": "Upgrade to IBM BladeCenter Advanced Management Module Firmware v3.68n [BPET68N] (or newer) from IBM Fix Central."
}
],
"source": {
"advisory": "LEN-38385",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
"assignerShortName": "lenovo",
"cveId": "CVE-2020-8339",
"datePublished": "2020-09-15T14:20:17.188Z",
"dateReserved": "2020-01-28T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:49:07.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-8339",
"date": "2026-06-03",
"epss": "0.00289",
"percentile": "0.52613"
},
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:ibm:bladecenter_advanced_management_module_firmware:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"3.68n\", \"matchCriteriaId\": \"9C8B483C-A94B-4123-BBE1-ED0A27A668BB\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:h:ibm:bladecenter_advanced_management_module:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"558E3E8F-32FB-418B-9CDF-34357AF5834B\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user\u0027s AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user\\u2019s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.\"}, {\"lang\": \"es\", \"value\": \"Se report\\u00f3 una vulnerabilidad de inclusi\\u00f3n de tipo cross-site scripting (XSSI) en la interfaz web legacy de IBM BladeCenter Advanced Management Module (AMM) versiones anteriores a 3.68n [BPET68N].\u0026#xa0;Esta vulnerabilidad podr\\u00eda permitir que sean reveladas unas credenciales de AMM de un usuario autenticado si el usuario est\\u00e1 convencido de visitar un sitio web malicioso, posiblemente por medio de phishing.\u0026#xa0;Una explotaci\\u00f3n con \\u00e9xito requiere un conocimiento espec\\u00edfico sobre la red del usuario para ser incluido en el sitio web malicioso.\u0026#xa0;El impacto es limitado a las restricciones de acceso normales del usuario que visita el sitio web malicioso y est\\u00e1 sujeto a que el usuario inicie sesi\\u00f3n en AMM, pueda conectarse tanto a AMM como al sitio web malicioso mientras el navegador web est\\u00e9 abierto y use un navegador web que no protege inherentemente contra esta clase de ataque.\u0026#xa0;El c\\u00f3digo JavaScript no es ejecutado en AMM en s\\u00ed\"}]",
"id": "CVE-2020-8339",
"lastModified": "2024-11-21T05:38:44.447",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"psirt@lenovo.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\", \"baseScore\": 4.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 1.4}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 6.1, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 2.7}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2020-09-15T15:15:14.150",
"references": "[{\"url\": \"https://support.lenovo.com/us/en/product_security/LEN-38385\", \"source\": \"psirt@lenovo.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://support.lenovo.com/us/en/product_security/LEN-38385\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "psirt@lenovo.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"psirt@lenovo.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-522\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-8339\",\"sourceIdentifier\":\"psirt@lenovo.com\",\"published\":\"2020-09-15T15:15:14.150\",\"lastModified\":\"2024-11-21T05:38:44.447\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface prior to version 3.68n [BPET68N]. This vulnerability could allow an authenticated user\u0027s AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing. Successful exploitation requires specific knowledge about the user\u2019s network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.\"},{\"lang\":\"es\",\"value\":\"Se report\u00f3 una vulnerabilidad de inclusi\u00f3n de tipo cross-site scripting (XSSI) en la interfaz web legacy de IBM BladeCenter Advanced Management Module (AMM) versiones anteriores a 3.68n [BPET68N].\u0026#xa0;Esta vulnerabilidad podr\u00eda permitir que sean reveladas unas credenciales de AMM de un usuario autenticado si el usuario est\u00e1 convencido de visitar un sitio web malicioso, posiblemente por medio de phishing.\u0026#xa0;Una explotaci\u00f3n con \u00e9xito requiere un conocimiento espec\u00edfico sobre la red del usuario para ser incluido en el sitio web malicioso.\u0026#xa0;El impacto es limitado a las restricciones de acceso normales del usuario que visita el sitio web malicioso y est\u00e1 sujeto a que el usuario inicie sesi\u00f3n en AMM, pueda conectarse tanto a AMM como al sitio web malicioso mientras el navegador web est\u00e9 abierto y use un navegador web que no protege inherentemente contra esta clase de ataque.\u0026#xa0;El c\u00f3digo JavaScript no es ejecutado en AMM en s\u00ed\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"psirt@lenovo.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"psirt@lenovo.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-522\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ibm:bladecenter_advanced_management_module_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.68n\",\"matchCriteriaId\":\"9C8B483C-A94B-4123-BBE1-ED0A27A668BB\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ibm:bladecenter_advanced_management_module:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"558E3E8F-32FB-418B-9CDF-34357AF5834B\"}]}]}],\"references\":[{\"url\":\"https://support.lenovo.com/us/en/product_security/LEN-38385\",\"source\":\"psirt@lenovo.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://support.lenovo.com/us/en/product_security/LEN-38385\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…