CVE-2024-1606 MEDIUM

CVE-2024-1606: HTML injection in BMC Control-M

Vendor Bmc
Product Control-M
Weakness CWE-80 · XSS · basic
Published March 18, 2024
Last update August 27, 2024

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200.

Key dates

02Disclosure timeline

March 18, 2024 CVE published
August 27, 2024 Record updated