CVE-2024-1606

Summary

Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker.

Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200.

Affected Software

VendorProductVersion RangeStatus
BMCControl-M9.0.20 < 9.0.20.238affected
BMCControl-M9.0.21 < 9.0.21.200affected

Weaknesses

  • CWE-80: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References