CVE-2019-6159
MEDIUMLenovo BladeCenter and System x IMM v1 - Unauthenticated Stored Cross-Site Scripting in Log Viewer
Title source: llmDescription
A stored cross-site scripting (XSS) vulnerability exists in various firmware versions of the legacy IBM System x IMM (IMM v1) embedded Baseboard Management Controller (BMC). This vulnerability could allow an unauthenticated user to cause JavaScript code to be stored in the IMM log which may then be executed in the user's web browser when IMM log records containing the JavaScript code are viewed. The JavaScript code is not executed on IMM itself. The later IMM2 (IMM v2) is not affected.
References (2)
Core 2
Core References
Mitigation, Vendor Advisory x_refsource_misc
https://support.lenovo.com/solutions/LEN-24785
Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/165069
Scores
CVSS v3
6.1
EPSS
0.0024
EPSS Percentile
47.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (15)
lenovo/bladecenter_hs22_firmware
lenovo/bladecenter_hs22v_firmware
lenovo/bladecenter_hx5_firmware
lenovo/system_x3400_m3_firmware
lenovo/system_x3500_m2_firmware
lenovo/system_x3500_m3_firmware
lenovo/system_x3550_m3_firmware
lenovo/system_x3560_m2_firmware
lenovo/system_x3630_m3_firmware
lenovo/system_x3650_m3_firmware
... and 5 more
Published
Aug 19, 2019
Tracked Since
Feb 18, 2026