CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
52.0%
There is a cross-site request forgery vulnerability to which the IBM® FlashSystem™ 840 and IBM FlashSystem 900 are susceptible. An exploit of this vulnerability could allow cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVEID: CVE-2015-7446 DESCRIPTION: IBM Flash System 840 and IBM FlashSystem 900 are susceptible to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108187 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
FlashSystem 840 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE1 and 9843-AE1.
FlashSystem 900 including machine type and models (MTMs) for all available code levels. MTMs affected include 9840-AE2 and 9843-AE2.
MTMs
| VRMF| APAR| Remediation/First Fix
—|—|—|—
FlashSystem****840 MTM:
9840-AE1 &
9843-AE1
FlashSystem 900 MTMs:
9840-AE2 &
9843-AE2| _Code fixes are now available, the minimum VRMF containing the fix depends on the code stream:
_Fixed code VRMF .
1.4 stream: 1.4.0.10 (or later)
1.3 stream: 1.3.0.5 (or later)
1.2 stream: 1.2.1.9 (or later)| _ _N/A| No workarounds or mitigations, other than applying this code fix, are known for this vulnerability
** **FlashSystem 840 fixes****and FlashSystem 900 fixes****are available @ IBM’s Fix Central
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | flashsystem_900 | any | cpe:2.3:h:ibm:flashsystem_900:any:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
52.0%