CVE-2019-6159
Summary
| CVE | CVE-2019-6159 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-08-19 15:15:00 UTC |
| Updated | 2023-03-29 16:23:00 UTC |
| Description | A stored cross-site scripting (XSS) vulnerability exists in various firmware versions of the legacy IBM System x IMM (IMM v1) embedded Baseboard Management Controller (BMC). This vulnerability could allow an unauthenticated user to cause JavaScript code to be stored in the IMM log which may then be executed in the user's web browser when IMM log records containing the JavaScript code are viewed. The JavaScript code is not executed on IMM itself. The later IMM2 (IMM v2) is not affected. |
Risk And Classification
Problem Types: CWE-79
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Hardware | Lenovo | Bladecenter Hs22 | - | All | All | All |
| Hardware | Lenovo | Bladecenter Hs22 | - | All | All | All |
| Hardware | Lenovo | Bladecenter Hs22v | - | All | All | All |
| Hardware | Lenovo | Bladecenter Hs22v | - | All | All | All |
| Operating System | Lenovo | Bladecenter Hs22v Firmware | - | All | All | All |
| Operating System | Lenovo | Bladecenter Hs22v Firmware | - | All | All | All |
| Operating System | Lenovo | Bladecenter Hs22 Firmware | - | All | All | All |
| Operating System | Lenovo | Bladecenter Hs22 Firmware | - | All | All | All |
| Hardware | Lenovo | Bladecenter Hx5 | - | All | All | All |
| Hardware | Lenovo | Bladecenter Hx5 | - | All | All | All |
| Operating System | Lenovo | Bladecenter Hx5 Firmware | - | All | All | All |
| Operating System | Lenovo | Bladecenter Hx5 Firmware | - | All | All | All |
| Hardware | Lenovo | System X3400 M3 | - | All | All | All |
| Hardware | Lenovo | System X3400 M3 | - | All | All | All |
| Operating System | Lenovo | System X3400 M3 Firmware | - | All | All | All |
| Operating System | Lenovo | System X3400 M3 Firmware | - | All | All | All |
| Hardware | Lenovo | System X3500 M2 | - | All | All | All |
| Hardware | Lenovo | System X3500 M2 | - | All | All | All |
| Operating System | Lenovo | System X3500 M2 Firmware | - | All | All | All |
| Operating System | Lenovo | System X3500 M2 Firmware | - | All | All | All |
| Hardware | Lenovo | System X3500 M3 | - | All | All | All |
| Hardware | Lenovo | System X3500 M3 | - | All | All | All |
| Operating System | Lenovo | System X3500 M3 Firmware | - | All | All | All |
| Operating System | Lenovo | System X3500 M3 Firmware | - | All | All | All |
| Hardware | Lenovo | System X3550 M3 | - | All | All | All |
| Hardware | Lenovo | System X3550 M3 | - | All | All | All |
| Operating System | Lenovo | System X3550 M3 Firmware | - | All | All | All |
| Operating System | Lenovo | System X3550 M3 Firmware | - | All | All | All |
| Hardware | Lenovo | System X3560 M2 | - | All | All | All |
| Hardware | Lenovo | System X3560 M2 | - | All | All | All |
| Operating System | Lenovo | System X3560 M2 Firmware | - | All | All | All |
| Operating System | Lenovo | System X3560 M2 Firmware | - | All | All | All |
| Hardware | Lenovo | System X3630 M3 | - | All | All | All |
| Hardware | Lenovo | System X3630 M3 | - | All | All | All |
| Operating System | Lenovo | System X3630 M3 Firmware | - | All | All | All |
| Operating System | Lenovo | System X3630 M3 Firmware | - | All | All | All |
| Hardware | Lenovo | System X3650 M3 | - | All | All | All |
| Hardware | Lenovo | System X3650 M3 | - | All | All | All |
| Operating System | Lenovo | System X3650 M3 Firmware | - | All | All | All |
| Operating System | Lenovo | System X3650 M3 Firmware | - | All | All | All |
| Hardware | Lenovo | System X3690 X5 | - | All | All | All |
| Hardware | Lenovo | System X3690 X5 | - | All | All | All |
| Operating System | Lenovo | System X3690 X5 Firmware | - | All | All | All |
| Operating System | Lenovo | System X3690 X5 Firmware | - | All | All | All |
| Hardware | Lenovo | System X3850 X5 | - | All | All | All |
| Hardware | Lenovo | System X3850 X5 | - | All | All | All |
| Operating System | Lenovo | System X3850 X5 Firmware | - | All | All | All |
| Operating System | Lenovo | System X3850 X5 Firmware | - | All | All | All |
| Hardware | Lenovo | System X3950 X5 | - | All | All | All |
| Hardware | Lenovo | System X3950 X5 | - | All | All | All |
| Operating System | Lenovo | System X3950 X5 Firmware | - | All | All | All |
| Operating System | Lenovo | System X3950 X5 Firmware | - | All | All | All |
| Hardware | Lenovo | System X Idataplex Dx360 M2 | - | All | All | All |
| Hardware | Lenovo | System X Idataplex Dx360 M2 | - | All | All | All |
| Operating System | Lenovo | System X Idataplex Dx360 M2 Firmware | - | All | All | All |
| Operating System | Lenovo | System X Idataplex Dx360 M2 Firmware | - | All | All | All |
| Hardware | Lenovo | System X Idataplex Dx360 M3 | - | All | All | All |
| Hardware | Lenovo | System X Idataplex Dx360 M3 | - | All | All | All |
| Operating System | Lenovo | System X Idataplex Dx360 M3 Firmware | - | All | All | All |
| Operating System | Lenovo | System X Idataplex Dx360 M3 Firmware | - | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Stored XSS Vulnerability in legacy IBM System x IMM - Lenovo Support US | CONFIRM | support.lenovo.com | Mitigation, Vendor Advisory |
| IBM X-Force Exchange | MISC | exchange.xforce.ibmcloud.com | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Lenovo thanks Christopher Arnold for reporting this issue.
There are currently no legacy QID mappings associated with this CVE.