DSA-2025-191: Security Update for Storage Center - Dell Storage Manager Vulnerabilities
Summary: Storage Center - Dell Storage Manager remediation is available for DSM that could be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
High
Details
| Third-party Component | CVEs | More Information |
| OpenSSH | CVE-2023-48795 | https://nvd.nist.gov/vuln/search |
| jszip | CVE-2022-48285, CVE-2021-23413 | https://nvd.nist.gov/vuln/search |
| JQuery | CVE-2020-11022, CVE-2020-11023, CVE-2015-9251 | https://nvd.nist.gov/vuln/search |
| AngularJS | CVE-2020-7676 | https://nvd.nist.gov/vuln/search |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-22479 | Dell Storage Center - Dell Storage Manager, version(s) 20.0.21, contain(s) an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. | 3.5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
| CVE-2025-22477 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges. | 8.3 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
| CVE-2025-22478 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| CVE-2025-22476 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Remote execution. | 5.5 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2025-23379 | Dell Storage Center - Dell Storage Manager, version(s) 21.0.20, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. | 3.5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
| Proprietary Code CVEs | Description | CVSS Base Score | CVSS Vector String |
| CVE-2025-22479 | Dell Storage Center - Dell Storage Manager, version(s) 20.0.21, contain(s) an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. | 3.5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
| CVE-2025-22477 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges. | 8.3 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
| CVE-2025-22478 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Restriction of XML External Entity Reference vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. | 8.1 | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
| CVE-2025-22476 | Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to Remote execution. | 5.5 | CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| CVE-2025-23379 | Dell Storage Center - Dell Storage Manager, version(s) 21.0.20, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Script injection. | 3.5 | CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
Affected Products & Remediation
| Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
| Dell Storage Manager | DSM | Versions prior to 2020 R1.21 | Version 2020 R1.21 or later | https://www.dell.com/support/product-details/product/storage-scv3000/drivers |
| Product | Software/Firmware | Affected Versions | Remediated Versions | Link |
| Dell Storage Manager | DSM | Versions prior to 2020 R1.21 | Version 2020 R1.21 or later | https://www.dell.com/support/product-details/product/storage-scv3000/drivers |
Workarounds & Mitigations
| CVE ID | Workaround and Mitigation |
| CVE-2023-48795 | Remove vulnerable ChaCha20-Poly1305 cipher from SSH configuration |
Revision History
| Revision | Date | Description |
| 1.0 | 2025-05-05 | Initial Release |
| 2.0 | 2025-05-06 | Adding acknowledgements |
| 3.0 | 2025-05-06 | Corrected minor spelling mistakes. |
Acknowledgements
CVE-2025-23379, CVE-2025-22479: Dell would like to thank redfr0g for reporting this issue.
CVE-2025-22477, CVE-2025-22478: Dell would like to thank sradulea for reporting this issue.
CVE-2025-22476: Dell would like to thank sradulea and xiaohei from Ubisectech Sirius Team for reporting this issue.
Related Information
Legal Disclaimer
Affected Products
Dell Storage ManagerArticle Properties
Article Number: 000317318
Article Type: Dell Security Advisory
Last Modified: 06 May 2025
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.