CVE-2024-1606

Description

Lack of input sanitization in BMC Control-M branches 9.0.20 and 9.0.21 allows logged-in users for manipulation of generated web pages via injection of HTML code. This might lead to a successful phishing attack for example by tricking users into using a hyperlink pointing to a website controlled by an attacker. Fix for 9.0.20 branch was released in version 9.0.20.238. Fix for 9.0.21 branch was released in version 9.0.21.200.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

BMC / Control-M9.0.20 – 9.0.20.238
BMC / Control-M9.0.21 – 9.0.21.200

References

MISChttps://cert.pl/posts/2024/03/CVE-2024-1604
MISChttps://cert.pl/en/posts/2024/03/CVE-2024-1604
MISChttps://www.bmc.com/it-solutions/control-m.html