**Lenovo Security Advisory:**LEN-38385
**Potential Impact:**Information disclosure
**Severity:**Medium
**Scope of Impact:**Lenovo-specific
**CVE Identifier:**CVE-2020-8339
Summary Description:
A cross-site scripting inclusion (XSSI) vulnerability was reported in the legacy IBM BladeCenter Advanced Management Module (AMM) web interface. This vulnerability could allow an authenticated userβs AMM credentials to be disclosed if the user is convinced to visit a malicious web site, possibly through phishing.
Successful exploitation requires specific knowledge about the userβs network to be included in the malicious web site. Impact is limited to the normal access restrictions of the user visiting the malicious web site, and subject to the user being logged into AMM, being able to connect to both AMM and the malicious web site while the web browser is open, and using a web browser that does not inherently protect against this class of attack. The JavaScript code is not executed on AMM itself.
Mitigation Strategy for Customers (what you should do to protect yourself):
Upgrade to IBM BladeCenter Advanced Management Module Firmware v3.68n [BPET68N] (or newer) from IBM Fix Central.
Acknowledgement:
Lenovo thanks Cybersecurity lab, CS Dept, Lomonosov Moscow State University (SecLab@MSU) for reporting this issue.
Revision History:
Revision | Date | Description |
---|---|---|
1 | 2020-09-08 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an βas isβ basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.