Details of VAR-201603-0099

ID

VAR-201603-0099

CVE

CVE-2015-7446

TITLE

IBM FlashSystem V9000 Vulnerable to cross-site request forgery

Trust: 0.8

sources: JVNDB: JVNDB-2015-006991

DESCRIPTION

Cross-site request forgery (CSRF) vulnerability in IBM Flash System V9000 7.4 before 7.4.1.4, 7.5 before 7.5.1.3, and 7.6 before 7.6.0.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. IBM FlashSystem V9000 is an all-flash enterprise-level storage solution developed by IBM Corporation in the United States. The solution provides a full set of disaster recovery tools (including snapshot, clone and replication) to protect data security and use IBM Virtual Storage Center to realize virtualization configuration and performance management. A remote attacker could exploit this vulnerability to insert an XSS sequence. The following models and versions are affected: IBM FlashSystem V9000 9846-AE2, 9848-AE2, 9846-AC2, 9848-AC2 7.4 prior to 7.4.1.4, 7.5 prior to 7.5.1.3, 7.6 prior to 7.6.0.4

Trust: 1.71

sources: NVD: CVE-2015-7446 // JVNDB: JVNDB-2015-006991 // VULHUB: VHN-85407

AFFECTED PRODUCTS

vendor:	ibm	model:	flashsystem v9000	scope:	eq	version:	7.5	Trust: 1.6
vendor:	ibm	model:	flashsystem v9000	scope:	eq	version:	7.4	Trust: 1.6
vendor:	ibm	model:	flashsystem v9000	scope:	eq	version:	7.6	Trust: 1.6
vendor:	ibm	model:	flashsystem v9000	scope:	lt	version:	7.4	Trust: 0.8
vendor:	ibm	model:	flashsystem v9000 9846-ae2	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	flashsystem v9000 9846-ac2	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	flashsystem v9000	scope:	lt	version:	7.6	Trust: 0.8
vendor:	ibm	model:	flashsystem v9000	scope:	eq	version:	7.6.0.4	Trust: 0.8
vendor:	ibm	model:	flashsystem v9000	scope:	eq	version:	7.5.1.3	Trust: 0.8
vendor:	ibm	model:	flashsystem v9000	scope:	eq	version:	7.4.1.4	Trust: 0.8
vendor:	ibm	model:	flashsystem v9000 9848-ae2	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	flashsystem v9000	scope:	lt	version:	7.5	Trust: 0.8
vendor:	ibm	model:	flashsystem v9000 9848-ac2	scope:	-	version:	-	Trust: 0.8
vendor:	ibm	model:	flashsystem 9848-ac2	scope:	eq	version:	-	Trust: 0.6
vendor:	ibm	model:	flashsystem 9846-ac2	scope:	eq	version:	-	Trust: 0.6
vendor:	ibm	model:	flashsystem 9848-ae2	scope:	eq	version:	-	Trust: 0.6
vendor:	ibm	model:	flashsystem 9846-ae2	scope:	eq	version:	-	Trust: 0.6

sources: JVNDB: JVNDB-2015-006991 // CNNVD: CNNVD-201603-202 // NVD: CVE-2015-7446

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-7446
value:	HIGH
Trust: 1.0
NVD:	CVE-2015-7446
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201603-202
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-85407
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-7446
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-85407
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2015-7446
baseSeverity:	HIGH
baseScore:	8.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	5.9
version:	3.0
Trust: 1.0

sources: VULHUB: VHN-85407 // JVNDB: JVNDB-2015-006991 // CNNVD: CNNVD-201603-202 // NVD: CVE-2015-7446

PROBLEMTYPE DATA

problemtype:

CWE-352

Trust: 1.9

sources: VULHUB: VHN-85407 // JVNDB: JVNDB-2015-006991 // NVD: CVE-2015-7446

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201603-202

TYPE

cross-site request forgery

Trust: 0.6

sources: CNNVD: CNNVD-201603-202

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-006991

PATCH

title:	S1005570	url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005570	Trust: 0.8
title:	IBM FlashSystem V9000 Fixes for cross-site request forgery vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60560	Trust: 0.6

sources: JVNDB: JVNDB-2015-006991 // CNNVD: CNNVD-201603-202

EXTERNAL IDS

db:	NVD	id:	CVE-2015-7446	Trust: 2.5
db:	JVNDB	id:	JVNDB-2015-006991	Trust: 0.8
db:	CNNVD	id:	CNNVD-201603-202	Trust: 0.7
db:	BID	id:	84597	Trust: 0.1
db:	VULHUB	id:	VHN-85407	Trust: 0.1

sources: VULHUB: VHN-85407 // JVNDB: JVNDB-2015-006991 // CNNVD: CNNVD-201603-202 // NVD: CVE-2015-7446

REFERENCES

url:	http://www-01.ibm.com/support/docview.wss?uid=ssg1s1005570	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-7446	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-7446	Trust: 0.8

sources: VULHUB: VHN-85407 // JVNDB: JVNDB-2015-006991 // CNNVD: CNNVD-201603-202 // NVD: CVE-2015-7446

SOURCES

db:	VULHUB	id:	VHN-85407
db:	JVNDB	id:	JVNDB-2015-006991
db:	CNNVD	id:	CNNVD-201603-202
db:	NVD	id:	CVE-2015-7446

LAST UPDATE DATE

2024-08-14T15:23:59.945000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-85407	date:	2018-10-17T00:00:00
db:	JVNDB	id:	JVNDB-2015-006991	date:	2016-03-18T00:00:00
db:	CNNVD	id:	CNNVD-201603-202	date:	2016-03-14T00:00:00
db:	NVD	id:	CVE-2015-7446	date:	2018-10-17T18:47:12.877

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-85407	date:	2016-03-12T00:00:00
db:	JVNDB	id:	JVNDB-2015-006991	date:	2016-03-18T00:00:00
db:	CNNVD	id:	CNNVD-201603-202	date:	2016-03-14T00:00:00
db:	NVD	id:	CVE-2015-7446	date:	2016-03-12T15:59:00.150