CVE-2018-16096

CWE-79 — Cross-site Scripting (XSS)3 documents3 sources

Severity

6.1MEDIUM

EPSS

0.3%

top 46.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Thinksystem SMM Lenovo System Management Module Firmware

Timeline

PublishedNov 27

Latest updateMay 14

Description

In System Management Module (SMM) versions prior to 1.06, the SMM web interface for changing Enclosure VPD fails to sufficiently sanitize all input for HTML tags, possibly opening a path for cross-site scripting.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDlenovo/system_management_module_firmware< 1.06

▶CVEListV5lenovo/thinksystem_smmunspecified — 1.06

🔴Vulnerability Details

GHSA

GHSA-8r33-m54x-657r: In System Management Module (SMM) versions prior to 1↗2022-05-14

▶

CVEList

System Management Module Vulnerabilities↗2018-11-27

▶