DSA-2020-277: Dell EMC Unisphere PowerMax Cross-Site Scripting (XSS) Vulnerability

Sommaire: Dell EMC Unisphere PowerMax contains remediation for a Cross-Site Scripting (XSS) Vulnerability that could be exploited by malicious users to compromise the affected system.

Cet article s’applique à Cet article ne s’applique pas à Cet article n’est lié à aucun produit spécifique. Toutes les versions de produits ne sont pas identifiées dans cet article.
Consulter d’autres ressources

Impact

Medium

Détails

Proprietary Code CVE(s) Description CVSSBase Score CVSS Vector String
CVE-2020-35170
 		 Dell EMC Unisphere for PowerMax versions prior to 9.1.0.24 contain a Stored Cross-Site Scripting vulnerability. A remote, authenticated attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Proprietary Code CVE(s) Description CVSSBase Score CVSS Vector String
CVE-2020-35170
 		 Dell EMC Unisphere for PowerMax versions prior to 9.1.0.24 contain a Stored Cross-Site Scripting vulnerability. A remote, authenticated attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Dell Technologies recommande à tous ses clients de tenir compte à la fois du score de base CVSS et de tous les scores temporels et environnementaux pertinents qui pourraient avoir une incidence sur la gravité potentielle associée à une vulnérabilité de sécurité particulière.

Produits touchés et correction

Product Affected Version(s) Updated Version(s) Link to Update
Unisphere for PowerMax Versions prior to 9.1.0.24 9.1.0.24

EEM: 9.1.0.853		 https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers
Unisphere for PowerMax Versions prior to 9.2.0.6 9.2.0.6

EEM: 9.2.0.1018		 https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers
PowerMax OS 5978 5978 Request OPT 577141

Request OPT 576388
Product Affected Version(s) Updated Version(s) Link to Update
Unisphere for PowerMax Versions prior to 9.1.0.24 9.1.0.24

EEM: 9.1.0.853		 https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers
Unisphere for PowerMax Versions prior to 9.2.0.6 9.2.0.6

EEM: 9.2.0.1018		 https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers
PowerMax OS 5978 5978 Request OPT 577141

Request OPT 576388

Solutions de contournement et mesures d’atténuation

Any chart or dashboard with stored cross-site scripting needs to be deleted to remove the stored XSS.

Historique de révision

RevisionDateDescription
1.02020-12-14Initial Release

Reconnaissances

Dell would like to thank Tomasz Stachowicz and Przemek Nowakowski for reporting this issue.

Renseignements connexes

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Avis de non-responsabilité

Produits touchés

PowerMaxOS 5978, Unisphere for PowerMax
Propriétés de l’article
Numéro d’article: 000181212
Type d’article: Dell Security Advisory
Dernière modification: 17 déc. 2020
Obtenez des réponses à vos questions auprès d’autre utilisateurs de Dell
Services de soutien
Vérifiez si votre appareil est couvert par les services de soutien.