IBM Advanced Management Module Cross-Site Scripting (XSS)

Credit: Jens Regel
Risk: Low
Local: No
Remote: Yes

CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title: ====== IBM Advanced Management Module Cross-Site Scripting (XSS) CVE-ID: ======= CVE-2013-4007 Timeline: ========= 2013-06-10 Vulnerability discovered 2013-06-10 Reported to IBM Product Security Incident Response Team 2013-06-11 Vendor responded 2013-08-12 Official advisory and fix from IBM 2013-08-12 Public disclosure Introduction: ============= Cross-Site Scripting (XSS) vulnerability is found in adv_sw.php page of IBM Advanced Management Module. Status: ======= Published Affected Products: ================== IBM Advanced Management Module with firmware BPET64B (3.64B) Vendor Advisory: ================ Details: ======== A remote attacker could exploit this vulnerability to execute a script in a victim's web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. This attack does require that the user clicking the vulnerable link be authenticated with a valid user ID and password. Proof of Concept: ================= http://ibm-amm-ip/private/adv_sw.php?WEBINDEX=<XSS> Fix: ==== The vulnerability is fixed in firmware v3.64G [BPET64G] Update Portal: Author: ======= Jens Regel <jens[at]loxiran[dot]de> -- Jabber: ICQ: 19090972 Mail:

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top