CVE-2014-3080

Name of the Vulnerable Software and Affected Versions IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific parameters. The affected API endpoints include "kvm.cgi" and "avctalert.php", with vulnerable parameters being the query string to "kvm.cgi" and the key parameter to "avctalert.php".

Recommendations For IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447, update the firmware to version 1.20.20.23447 or later to resolve the issue. As a temporary workaround, consider restricting access to the "kvm.cgi" and "avctalert.php" endpoints to minimize the risk of exploitation. Avoid using the key parameter in the "avctalert.php" endpoint until the issue is resolved.