Vulnerability Description
In System Management Module (SMM) versions prior to 1.06, the SMM web interface for changing Enclosure VPD fails to sufficiently sanitize all input for HTML tags, possibly opening a path for cross-site scripting.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lenovo | System Management Module Firmware | < 1.06 |
| Lenovo | Thinkagile Hx Enclosure 7X81 | - |
| Lenovo | Thinkagile Hx Enclosure 7Y87 | - |
| Lenovo | Thinkagile Hx Enclosure 7Z02 | - |
| Lenovo | Thinkagile Vx Enclosure 7Y11 | - |
| Lenovo | Thinkagile Vx Enclosure 7Y91 | - |
| Lenovo | Thinksystem D2 Enclosure 7X20 | - |
| Lenovo | Thinksystem Modular Enclosure 7X22 | - |
Related Weaknesses (CWE)
References
- https://support.lenovo.com/us/en/solutions/LEN-24374Vendor Advisory
- https://support.lenovo.com/us/en/solutions/LEN-24374Vendor Advisory
FAQ
What is CVE-2018-16096?
CVE-2018-16096 is a vulnerability with a CVSS score of 6.1 (MEDIUM). In System Management Module (SMM) versions prior to 1.06, the SMM web interface for changing Enclosure VPD fails to sufficiently sanitize all input for HTML tags, possibly opening a path for cross-sit...
How severe is CVE-2018-16096?
CVE-2018-16096 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-16096?
Check the references section above for vendor advisories and patch information. Affected products include: Lenovo System Management Module Firmware, Lenovo Thinkagile Hx Enclosure 7X81, Lenovo Thinkagile Hx Enclosure 7Y87, Lenovo Thinkagile Hx Enclosure 7Z02, Lenovo Thinkagile Vx Enclosure 7Y11.