CVE-2020-4987

Vulnerability

The IBM FlashSystem 900 user management GUI is vulnerable to stored cross-site scripting (XSS) in code versions 1.5.2.8 and prior, and 1.6.1.2 and prior [1]. Affected system types include FlashSystem 900 MTMs 9840-AE1, 9843-AE1, 9840-AE2, 9843-AE2, 9840-AE3, and 9843-AE3 [1]. The vulnerability allows users to embed arbitrary JavaScript code into the Web UI, which is then stored and executed in the context of other users' sessions.

Exploitation

An attacker with authenticated access to the management GUI can inject malicious JavaScript via the user management functionality. The injected script is stored and subsequently executed when other users (including administrators) access the affected page. No additional user interaction is required beyond visiting the compromised page. The attacker does not need network-level access beyond what is required to reach the management interface.

Impact

Successful exploitation enables the attacker to alter the intended functionality of the Web UI, potentially leading to disclosure of credentials (e.g., session tokens) within a trusted session. The CVSS 3.0 base score is 6.4 (medium), with vectors AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N [1], indicating limited impact on confidentiality and integrity with scope change.

Mitigation

IBM has released fixed firmware versions: 1.5.2.9 for the 1.5 stream and 1.6.1.3 for the 1.6 stream [1]. Users should upgrade to these or later versions via IBM Fix Central. FlashSystem 840 systems (MTM AE1) are no longer supported and should be upgraded. No workaround other than upgrading is recommended [1].