A vulnerability (CVE-2020-4987) affects the IBM FlashSystem model 900 management GUI.
CVEID:CVE-2020-4987
**DESCRIPTION:**IBM FlashSystem 900 user management GUI is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192702 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
Storage Node machine type and models (MTMs) affected:
Supported storage node code versions which are affected:
VRMFs 1.5.2.8 and prior
VRMFs 1.6.1.2 and prior
**Note:**For information on IBM FlashSystem V9000 SVC code levels affected and remediated, search for the equivalent security bulletin here: IBM Support
MTMs | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
FlashSystem 840 MTMs: |
9840-AE1 and 9843-AE1
FlashSystem 900 MTMs:
9843-UF3, 9840-AE2, 9843-AE2, 9840-AE3, and 9843-AE3
Note: AE1 systems are no longer supported.
|
Code fixes are now available, the minimum VRMF containing the fix depending on the code stream:
Fixed Code VRMF:
1.6 stream: 1.6.1.3
1.5 stream: 1.5.2.9
| N/A | FlashSystem 900 fixes are available at IBM’s Fix Central website. FlashSystem 840 is no longer supported.
Upgrade to a supported firmware level.