ID

VAR-201603-0099


CVE

CVE-2015-7446


TITLE

IBM FlashSystem V9000 Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2015-006991

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in IBM Flash System V9000 7.4 before 7.4.1.4, 7.5 before 7.5.1.3, and 7.6 before 7.6.0.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM FlashSystem V9000 is an all-flash enterprise-level storage solution developed by IBM Corporation in the United States. The solution provides a full set of disaster recovery tools (including snapshot, clone and replication) to protect data security and use IBM Virtual Storage Center to realize virtualization configuration and performance management. A remote attacker could exploit this vulnerability to insert an XSS sequence. The following models and versions are affected: IBM FlashSystem V9000 9846-AE2, 9848-AE2, 9846-AC2, 9848-AC2 7.4 prior to 7.4.1.4, 7.5 prior to 7.5.1.3, 7.6 prior to 7.6.0.4

Trust: 1.71

sources: NVD: CVE-2015-7446 // JVNDB: JVNDB-2015-006991 // VULHUB: VHN-85407

AFFECTED PRODUCTS

vendor:ibmmodel:flashsystem v9000scope:eqversion:7.5

Trust: 1.6

vendor:ibmmodel:flashsystem v9000scope:eqversion:7.4

Trust: 1.6

vendor:ibmmodel:flashsystem v9000scope:eqversion:7.6

Trust: 1.6

vendor:ibmmodel:flashsystem v9000scope:ltversion:7.4

Trust: 0.8

vendor:ibmmodel:flashsystem v9000 9846-ae2scope: - version: -

Trust: 0.8

vendor:ibmmodel:flashsystem v9000 9846-ac2scope: - version: -

Trust: 0.8

vendor:ibmmodel:flashsystem v9000scope:ltversion:7.6

Trust: 0.8

vendor:ibmmodel:flashsystem v9000scope:eqversion:7.6.0.4

Trust: 0.8

vendor:ibmmodel:flashsystem v9000scope:eqversion:7.5.1.3

Trust: 0.8

vendor:ibmmodel:flashsystem v9000scope:eqversion:7.4.1.4

Trust: 0.8

vendor:ibmmodel:flashsystem v9000 9848-ae2scope: - version: -

Trust: 0.8

vendor:ibmmodel:flashsystem v9000scope:ltversion:7.5

Trust: 0.8

vendor:ibmmodel:flashsystem v9000 9848-ac2scope: - version: -

Trust: 0.8

vendor:ibmmodel:flashsystem 9848-ac2scope:eqversion: -

Trust: 0.6

vendor:ibmmodel:flashsystem 9846-ac2scope:eqversion: -

Trust: 0.6

vendor:ibmmodel:flashsystem 9848-ae2scope:eqversion: -

Trust: 0.6

vendor:ibmmodel:flashsystem 9846-ae2scope:eqversion: -

Trust: 0.6

sources: JVNDB: JVNDB-2015-006991 // CNNVD: CNNVD-201603-202 // NVD: CVE-2015-7446

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-7446
value: HIGH

Trust: 1.0

NVD: CVE-2015-7446
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201603-202
value: MEDIUM

Trust: 0.6

VULHUB: VHN-85407
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-7446
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-85407
severity: MEDIUM
baseScore: 6.8
vectorString: AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.6
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-7446
baseSeverity: HIGH
baseScore: 8.8
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: REQUIRED
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 2.8
impactScore: 5.9
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-85407 // JVNDB: JVNDB-2015-006991 // CNNVD: CNNVD-201603-202 // NVD: CVE-2015-7446

PROBLEMTYPE DATA

problemtype:CWE-352

Trust: 1.9

sources: VULHUB: VHN-85407 // JVNDB: JVNDB-2015-006991 // NVD: CVE-2015-7446

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201603-202

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201603-202

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006991

PATCH

title:S1005570url:http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005570

Trust: 0.8

title:IBM FlashSystem V9000 Fixes for cross-site request forgery vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60560

Trust: 0.6

sources: JVNDB: JVNDB-2015-006991 // CNNVD: CNNVD-201603-202

EXTERNAL IDS

db:NVDid:CVE-2015-7446

Trust: 2.5

db:JVNDBid:JVNDB-2015-006991

Trust: 0.8

db:CNNVDid:CNNVD-201603-202

Trust: 0.7

db:BIDid:84597

Trust: 0.1

db:VULHUBid:VHN-85407

Trust: 0.1

sources: VULHUB: VHN-85407 // JVNDB: JVNDB-2015-006991 // CNNVD: CNNVD-201603-202 // NVD: CVE-2015-7446

REFERENCES

url:http://www-01.ibm.com/support/docview.wss?uid=ssg1s1005570

Trust: 1.7

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7446

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7446

Trust: 0.8

sources: VULHUB: VHN-85407 // JVNDB: JVNDB-2015-006991 // CNNVD: CNNVD-201603-202 // NVD: CVE-2015-7446

SOURCES

db:VULHUBid:VHN-85407
db:JVNDBid:JVNDB-2015-006991
db:CNNVDid:CNNVD-201603-202
db:NVDid:CVE-2015-7446

LAST UPDATE DATE

2024-11-23T22:27:02.788000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-85407date:2018-10-17T00:00:00
db:JVNDBid:JVNDB-2015-006991date:2016-03-18T00:00:00
db:CNNVDid:CNNVD-201603-202date:2016-03-14T00:00:00
db:NVDid:CVE-2015-7446date:2024-11-21T02:36:48.283

SOURCES RELEASE DATE

db:VULHUBid:VHN-85407date:2016-03-12T00:00:00
db:JVNDBid:JVNDB-2015-006991date:2016-03-18T00:00:00
db:CNNVDid:CNNVD-201603-202date:2016-03-14T00:00:00
db:NVDid:CVE-2015-7446date:2016-03-12T15:59:00.150