Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Premier Sign In Partner Program Sign In

Your Dell.com Baskets

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000181212

DSA-2020-277: Dell EMC Unisphere PowerMax Cross-Site Scripting (XSS) Vulnerability

Summary: Dell EMC Unisphere PowerMax contains remediation for a Cross-Site Scripting (XSS) Vulnerability that could be exploited by malicious users to compromise the affected system.

Article Content

Impact

Medium

Details

Proprietary Code CVE(s) Description CVSSBase Score CVSS Vector String
CVE-2020-35170
 		 Dell EMC Unisphere for PowerMax versions prior to 9.1.0.24 contain a Stored Cross-Site Scripting vulnerability. A remote, authenticated attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Proprietary Code CVE(s) Description CVSSBase Score CVSS Vector String
CVE-2020-35170
 		 Dell EMC Unisphere for PowerMax versions prior to 9.1.0.24 contain a Stored Cross-Site Scripting vulnerability. A remote, authenticated attacker could potentially exploit this vulnerability, leading to the storage of malicious HTML or JavaScript codes in a trusted application data store. When a victim user accesses the data store through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

Product Affected Version(s) Updated Version(s) Link to Update
Unisphere for PowerMax Versions prior to 9.1.0.24 9.1.0.24

EEM: 9.1.0.853		 https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers
Unisphere for PowerMax Versions prior to 9.2.0.6 9.2.0.6

EEM: 9.2.0.1018		 https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers
PowerMax OS 5978 5978 Request OPT 577141

Request OPT 576388
Product Affected Version(s) Updated Version(s) Link to Update
Unisphere for PowerMax Versions prior to 9.1.0.24 9.1.0.24

EEM: 9.1.0.853		 https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers
Unisphere for PowerMax Versions prior to 9.2.0.6 9.2.0.6

EEM: 9.2.0.1018		 https://www.dell.com/support/home/en-us/product-support/product/unisphere-powermax/drivers
PowerMax OS 5978 5978 Request OPT 577141

Request OPT 576388

Workarounds and Mitigations

Any chart or dashboard with stored cross-site scripting needs to be deleted to remove the stored XSS.

Acknowledgements

Dell would like to thank Tomasz Stachowicz and Przemek Nowakowski for reporting this issue.

Revision History

RevisionDateDescription
1.02020-12-14Initial Release

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Information

Article Properties

Affected Product

PowerMaxOS 5978, Unisphere for PowerMax

Last Published Date

17 Dec 2020

Version

1

Article Type

Dell Security Advisory

Back to Top