CVE-2010-2654

Name of the Vulnerable Software and Affected Versions IBM BladeCenter with Advanced Management Module (AMM) versions prior to 4.7 and 5.0 IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters to various PHP files. The affected parameters include INDEX, IPADDR, domain, slot, WEBINDEX, and SLOT in files such as private/cindefn.php, private/power management policy options.php, private/pm temp.php, private/power module.php, private/blade leds.php, and private/ipmi bladestatus.php.

Recommendations For IBM BladeCenter with Advanced Management Module (AMM) versions prior to 4.7 and 5.0, update to version 4.7 or 5.0 to resolve the issue. For IBM BladeCenter with Advanced Management Module (AMM) firmware build ID BPET48L, update to a version later than BPET48L to resolve the issue. As a temporary workaround, consider restricting access to the affected PHP files until a patch is available. Avoid using the parameters INDEX, IPADDR, domain, slot, WEBINDEX, and SLOT in the affected API endpoints until the issue is resolved.