nvd-json-data-feeds/CVE-2024/CVE-2024-16xx/CVE-2024-1606.json

{
  "id": "CVE-2024-1606",
  "sourceIdentifier": "cvd@cert.pl",
  "published": "2024-03-18T10:15:20.863",
  "lastModified": "2025-03-06T19:38:53.547",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Lack of input sanitization in BMC Control-M  branches 9.0.20 and 9.0.21 allows logged-in users for\u00a0manipulation of generated  web pages via injection of  HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker.\n\nFix for 9.0.20 branch was released in version 9.0.20.238.\u00a0Fix for 9.0.21 branch was released in version 9.0.21.200. \n\n"
    },
    {
      "lang": "es",
      "value": "La falta de sanitizaci\u00f3n de entradas en las ramas 9.0.20 y 9.0.21 de BMC Control-M permite a los usuarios registrados manipular las p\u00e1ginas web generadas mediante la inyecci\u00f3n de c\u00f3digo HTML. Esto podr\u00eda conducir a un ataque de phishing exitoso, por ejemplo, enga\u00f1ando a los usuarios para que utilicen un hiperv\u00ednculo que apunte a un sitio web controlado por un atacante. La soluci\u00f3n para la rama 9.0.20 se lanz\u00f3 en la versi\u00f3n 9.0.20.238. La soluci\u00f3n para la rama 9.0.21 se lanz\u00f3 en la versi\u00f3n 9.0.21.200."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "cvd@cert.pl",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
          "baseScore": 4.6,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 2.1,
        "impactScore": 2.5
      },
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
          "baseScore": 5.4,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "LOW",
          "userInteraction": "REQUIRED",
          "scope": "CHANGED",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 2.7
      }
    ]
  },
  "weaknesses": [
    {
      "source": "cvd@cert.pl",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-80"
        }
      ]
    },
    {
      "source": "nvd@nist.gov",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:bmc:control-m:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "9.0.20",
              "versionEndExcluding": "9.0.20.238",
              "matchCriteriaId": "87B57AF2-7AB2-48C3-A85B-A918033C70AF"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:bmc:control-m:*:*:*:*:*:*:*:*",
              "versionStartIncluding": "9.0.21",
              "versionEndExcluding": "9.0.21.201",
              "matchCriteriaId": "8F86D69B-93E8-42A3-8D24-CDB59F33A388"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://cert.pl/en/posts/2024/03/CVE-2024-1604",
      "source": "cvd@cert.pl",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://cert.pl/posts/2024/03/CVE-2024-1604",
      "source": "cvd@cert.pl",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://www.bmc.com/it-solutions/control-m.html",
      "source": "cvd@cert.pl",
      "tags": [
        "Product"
      ]
    },
    {
      "url": "https://cert.pl/en/posts/2024/03/CVE-2024-1604",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://cert.pl/posts/2024/03/CVE-2024-1604",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://www.bmc.com/it-solutions/control-m.html",
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ]
    }
  ]
}
Auto-Update: 2024-03-18T11:00:37.871709+00:00 2024-03-18 11:03:27 +00:00			`{`
			`"id": "CVE-2024-1606",`
			`"sourceIdentifier": "cvd@cert.pl",`
			`"published": "2024-03-18T10:15:20.863",`
Auto-Update: 2025-03-16T03:00:19.723046+00:00 2025-03-16 03:03:50 +00:00			`"lastModified": "2025-03-06T19:38:53.547",`
Auto-Update: 2025-03-09T03:00:19.873769+00:00 2025-03-09 03:03:50 +00:00			`"vulnStatus": "Analyzed",`
Auto-Update: 2024-07-14T02:00:17.787041+00:00 2024-07-14 02:06:08 +00:00			`"cveTags": [],`
Auto-Update: 2024-03-18T11:00:37.871709+00:00 2024-03-18 11:03:27 +00:00			`"descriptions": [`
			`{`
			`"lang": "en",`
			`"value": "Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for\u00a0manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker.\n\nFix for 9.0.20 branch was released in version 9.0.20.238.\u00a0Fix for 9.0.21 branch was released in version 9.0.21.200. \n\n"`
Auto-Update: 2024-03-18T15:00:38.809752+00:00 2024-03-18 15:03:26 +00:00			`},`
			`{`
			`"lang": "es",`
			"value": "La falta de sanitizaci\u00f3n de entradas en las ramas 9.0.20 y 9.0.21 de BMC Control-M permite a los usuarios registrados manipular las p\u00e1ginas web generadas mediante la inyecci\u00f3n de c\u00f3digo HTML. Esto podr\u00eda conducir a un ataque de phishing exitoso, por ejemplo, enga\u00f1ando a los usuarios para que utilicen un hiperv\u00ednculo que apunte a un sitio web controlado por un atacante. La soluci\u00f3n para la rama 9.0.20 se lanz\u00f3 en la versi\u00f3n 9.0.20.238. La soluci\u00f3n para la rama 9.0.21 se lanz\u00f3 en la versi\u00f3n 9.0.21.200."
Auto-Update: 2024-03-18T11:00:37.871709+00:00 2024-03-18 11:03:27 +00:00			`}`
			`],`
			`"metrics": {`
			`"cvssMetricV31": [`
			`{`
			`"source": "cvd@cert.pl",`
			`"type": "Secondary",`
			`"cvssData": {`
			`"version": "3.1",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"baseScore": 4.6,`
			`"baseSeverity": "MEDIUM",`
Auto-Update: 2024-03-18T11:00:37.871709+00:00 2024-03-18 11:03:27 +00:00			`"attackVector": "NETWORK",`
			`"attackComplexity": "LOW",`
			`"privilegesRequired": "LOW",`
			`"userInteraction": "REQUIRED",`
			`"scope": "UNCHANGED",`
			`"confidentialityImpact": "LOW",`
			`"integrityImpact": "LOW",`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`"availabilityImpact": "NONE"`
Auto-Update: 2024-03-18T11:00:37.871709+00:00 2024-03-18 11:03:27 +00:00			`},`
			`"exploitabilityScore": 2.1,`
			`"impactScore": 2.5`
Auto-Update: 2025-03-09T03:00:19.873769+00:00 2025-03-09 03:03:50 +00:00			`},`
			`{`
			`"source": "nvd@nist.gov",`
			`"type": "Primary",`
			`"cvssData": {`
			`"version": "3.1",`
			`"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",`
			`"baseScore": 5.4,`
			`"baseSeverity": "MEDIUM",`
			`"attackVector": "NETWORK",`
			`"attackComplexity": "LOW",`
			`"privilegesRequired": "LOW",`
			`"userInteraction": "REQUIRED",`
			`"scope": "CHANGED",`
			`"confidentialityImpact": "LOW",`
			`"integrityImpact": "LOW",`
			`"availabilityImpact": "NONE"`
			`},`
			`"exploitabilityScore": 2.3,`
			`"impactScore": 2.7`
Auto-Update: 2024-03-18T11:00:37.871709+00:00 2024-03-18 11:03:27 +00:00			`}`
			`]`
			`},`
			`"weaknesses": [`
			`{`
			`"source": "cvd@cert.pl",`
			`"type": "Secondary",`
			`"description": [`
			`{`
			`"lang": "en",`
			`"value": "CWE-80"`
			`}`
			`]`
Auto-Update: 2025-03-09T03:00:19.873769+00:00 2025-03-09 03:03:50 +00:00			`},`
			`{`
			`"source": "nvd@nist.gov",`
			`"type": "Secondary",`
			`"description": [`
			`{`
			`"lang": "en",`
			`"value": "CWE-79"`
			`}`
			`]`
			`}`
			`],`
			`"configurations": [`
			`{`
			`"nodes": [`
			`{`
			`"operator": "OR",`
			`"negate": false,`
			`"cpeMatch": [`
			`{`
			`"vulnerable": true,`
			`"criteria": "cpe:2.3:a:bmc:control-m::::::::",`
			`"versionStartIncluding": "9.0.20",`
			`"versionEndExcluding": "9.0.20.238",`
			`"matchCriteriaId": "87B57AF2-7AB2-48C3-A85B-A918033C70AF"`
			`},`
			`{`
			`"vulnerable": true,`
			`"criteria": "cpe:2.3:a:bmc:control-m::::::::",`
			`"versionStartIncluding": "9.0.21",`
			`"versionEndExcluding": "9.0.21.201",`
			`"matchCriteriaId": "8F86D69B-93E8-42A3-8D24-CDB59F33A388"`
			`}`
			`]`
			`}`
			`]`
Auto-Update: 2024-03-18T11:00:37.871709+00:00 2024-03-18 11:03:27 +00:00			`}`
			`],`
			`"references": [`
			`{`
			`"url": "https://cert.pl/en/posts/2024/03/CVE-2024-1604",`
Auto-Update: 2025-03-09T03:00:19.873769+00:00 2025-03-09 03:03:50 +00:00			`"source": "cvd@cert.pl",`
			`"tags": [`
			`"Third Party Advisory"`
			`]`
Auto-Update: 2024-03-18T11:00:37.871709+00:00 2024-03-18 11:03:27 +00:00			`},`
			`{`
			`"url": "https://cert.pl/posts/2024/03/CVE-2024-1604",`
Auto-Update: 2025-03-09T03:00:19.873769+00:00 2025-03-09 03:03:50 +00:00			`"source": "cvd@cert.pl",`
			`"tags": [`
			`"Third Party Advisory"`
			`]`
Auto-Update: 2024-03-18T11:00:37.871709+00:00 2024-03-18 11:03:27 +00:00			`},`
			`{`
			`"url": "https://www.bmc.com/it-solutions/control-m.html",`
Auto-Update: 2025-03-09T03:00:19.873769+00:00 2025-03-09 03:03:50 +00:00			`"source": "cvd@cert.pl",`
			`"tags": [`
			`"Product"`
			`]`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`},`
			`{`
			`"url": "https://cert.pl/en/posts/2024/03/CVE-2024-1604",`
Auto-Update: 2025-03-09T03:00:19.873769+00:00 2025-03-09 03:03:50 +00:00			`"source": "af854a3a-2127-422b-91ae-364da2661108",`
			`"tags": [`
			`"Third Party Advisory"`
			`]`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`},`
			`{`
			`"url": "https://cert.pl/posts/2024/03/CVE-2024-1604",`
Auto-Update: 2025-03-09T03:00:19.873769+00:00 2025-03-09 03:03:50 +00:00			`"source": "af854a3a-2127-422b-91ae-364da2661108",`
			`"tags": [`
			`"Third Party Advisory"`
			`]`
Auto-Update: 2024-12-08T03:00:18.988682+00:00 2024-12-08 03:06:42 +00:00			`},`
			`{`
			`"url": "https://www.bmc.com/it-solutions/control-m.html",`
Auto-Update: 2025-03-09T03:00:19.873769+00:00 2025-03-09 03:03:50 +00:00			`"source": "af854a3a-2127-422b-91ae-364da2661108",`
			`"tags": [`
			`"Product"`
			`]`
Auto-Update: 2024-03-18T11:00:37.871709+00:00 2024-03-18 11:03:27 +00:00			`}`
			`]`
			`}`