{ "id": "CVE-2020-4987", "sourceIdentifier": "psirt@us.ibm.com", "published": "2021-05-04T16:15:07.827", "lastModified": "2022-01-01T18:03:56.647", "vulnStatus": "Analyzed", "descriptions": [ { "lang": "en", "value": "The IBM FlashSystem 900 user management GUI is vulnerable to stored cross-site scripting in code versions 1.5.2.8 and prior and 1.6.1.2 and prior. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session." }, { "lang": "es", "value": "La interfaz gr\u00e1fica de gesti\u00f3n de usuarios de IBM FlashSystem 900 es vulnerable a un ataque de tipo cross-site scripting almacenado en las versiones de c\u00f3digo 1.5.2.8 y anteriores y 1.6.1.2 y anteriores. Esta vulnerabilidad permite a los usuarios incrustar c\u00f3digo JavaScript arbitrario en la interfaz de usuario web, alterando as\u00ed la funcionalidad prevista, lo que podr\u00eda conducir a la divulgaci\u00f3n de credenciales dentro de una sesi\u00f3n de confianza" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 2.3, "impactScore": 2.7 } ], "cvssMetricV30": [ { "source": "psirt@us.ibm.com", "type": "Secondary", "cvssData": { "version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM" }, "exploitabilityScore": 3.1, "impactScore": 2.7 } ], "cvssMetricV2": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "2.0", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 3.5 }, "baseSeverity": "LOW", "exploitabilityScore": 6.8, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-79" } ] } ], "configurations": [ { "operator": "AND", "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:ibm:flashsystem_900_firmware:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.2.9", "matchCriteriaId": "FE7B847D-C21B-4071-B0A6-FE3CCBAAF0E1" }, { "vulnerable": true, "criteria": "cpe:2.3:o:ibm:flashsystem_900_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.6.0.0", "versionEndExcluding": "1.6.1.3", "matchCriteriaId": "F8AB5BBC-C0AB-4C0B-A678-4276174FC669" } ] }, { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": false, "criteria": "cpe:2.3:h:ibm:flashsystem_900:-:*:*:*:*:*:*:*", "matchCriteriaId": "B8D92192-32CA-461B-8326-955F71EFA8E3" } ] } ] } ], "references": [ { "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/192702", "source": "psirt@us.ibm.com", "tags": [ "VDB Entry", "Vendor Advisory" ] }, { "url": "https://www.ibm.com/support/pages/node/6449280", "source": "psirt@us.ibm.com", "tags": [ "Vendor Advisory" ] } ] }