CVE-2009-1288

IBM Advanced Management Module - Cross-Site Scripting via Username or File Manager PATH Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2009-1288. PoCs published by Henri Lindberg.

AI-analyzed exploit summary The provided text describes multiple vulnerabilities in IBM BladeCenter Advanced Management Module, including HTML injection, XSS, information disclosure, and CSRF. It includes a specific payload for the HTML-injection issue but lacks functional exploit code.

Description

Multiple cross-site scripting (XSS) vulnerabilities in the Advanced Management Module (AMM) on the IBM BladeCenter, including the BladeCenter H with BPET36H 54, allow remote attackers to inject arbitrary web script or HTML via (1) the username in a login action or (2) the PATH parameter to private/file_management.ssi in the File manager.

Exploits (2)

exploitdb WRITEUP VERIFIED
by Henri Lindberg · textwebappsmultiple
https://www.exploit-db.com/exploits/32894

The provided text describes multiple vulnerabilities in IBM BladeCenter Advanced Management Module, including HTML injection, XSS, information disclosure, and CSRF. It includes a specific payload for the HTML-injection issue but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Xss | Info Leak | Auth Bypass
Complexity
Trivial
Reliability
Theoretical
Target: IBM BladeCenter Advanced Management Module < 1.42U
No auth needed
Prerequisites: Network access to the target system
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Henri Lindberg · textwebappsmultiple
https://www.exploit-db.com/exploits/32895

The provided text describes multiple vulnerabilities in IBM BladeCenter Advanced Management Module, including HTML injection, XSS, information disclosure, and CSRF. It includes a sample exploit URL demonstrating the XSS vulnerability but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: IBM BladeCenter Advanced Management Module < 1.42U
No auth needed
Prerequisites: Network access to the target system
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (6)

Core 6
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/502582/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/53658
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/34447
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1022025
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/53657
Vendor Advisory x_refsource_misc
http://www.louhinetworks.fi/advisory/ibm_090409.txt

Scores

EPSS 0.0176
EPSS Percentile 75.2%

Details

CWE
CWE-79
Status published
Products (19)
ibm/advanced_management_module 1.36h
ibm/bladecenter e (3 CPE variants)
ibm/bladecenter h (2 CPE variants)
ibm/bladecenter hc10
ibm/bladecenter hs12 (3 CPE variants)
ibm/bladecenter hs20
ibm/bladecenter hs21 (2 CPE variants)
ibm/bladecenter hs21_xm (2 CPE variants)
ibm/bladecenter ht (2 CPE variants)
ibm/bladecenter js12
... and 9 more
Published Apr 13, 2009
Tracked Since Feb 18, 2026