Multiple Vendor Products Security Vulnerabilities
BID:52566
Info
Multiple Vendor Products Security Vulnerabilities
| Bugtraq ID: | 52566 |
| Class: | Design Error |
| CVE: |
CVE-2012-1841 CVE-2012-1842 CVE-2012-1844 CVE-2012-1843 |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 19 2012 12:00AM |
| Updated: | Mar 13 2013 05:25PM |
| Credit: | NOAA CIRT |
| Vulnerable: |
Quantum Scalar i500 0 IBM TS3310 0 Dell ML6000 0 |
| Not Vulnerable: |
Quantum Scalar i500 i7.0.3(604G.GS00100) IBM TS3310 R6C (606G.GS001) Dell ML6000 A20-00(590G.GS00100) |
Discussion
Multiple Vendor Products Security Vulnerabilities
Quantum Scalar i500, Dell ML6000, and IBM TS3310 are prone to following vulnerabilities:
1. An information-disclosure vulnerability
2. A cross-site scripting vulnerability
3. A cross-site request-forgery vulnerability
4. A security-bypass vulnerability
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. The information-disclosure vulnerability can allow the attacker to obtain sensitive information that may aid in launching further attacks.
Exploiting the cross-site request-forgery may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible.
Attackers can exploit a password weakness issue to bypass security restrictions to obtain sensitive information or perform unauthorized actions; this may aid in launching further attacks.
Quantum Scalar i500, Dell ML6000, and IBM TS3310 are prone to following vulnerabilities:
1. An information-disclosure vulnerability
2. A cross-site scripting vulnerability
3. A cross-site request-forgery vulnerability
4. A security-bypass vulnerability
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. The information-disclosure vulnerability can allow the attacker to obtain sensitive information that may aid in launching further attacks.
Exploiting the cross-site request-forgery may allow a remote attacker to perform certain administrative actions and gain unauthorized access to the affected application. Other attacks are also possible.
Attackers can exploit a password weakness issue to bypass security restrictions to obtain sensitive information or perform unauthorized actions; this may aid in launching further attacks.
Exploit / POC
Multiple Vendor Products Security Vulnerabilities
Attackers can use a browser to exploit these issues. To exploit the cross-site request-forgery issue, an attacker must entice an unsuspecting victim to open a malicious URI.
Attackers can use a browser to exploit these issues. To exploit the cross-site request-forgery issue, an attacker must entice an unsuspecting victim to open a malicious URI.
Solution / Fix
Multiple Vendor Products Security Vulnerabilities
Solution:
Updates are available. Please see the references for details.
Solution:
Updates are available. Please see the references for details.
References
Multiple Vendor Products Security Vulnerabilities
References:
References:
- Dell Homepage (Dell)
- IBM Fix Central (IBM)
- Quantum Homepage (Quantum)
- Quantum Scalar i500, Dell ML6000 and IBM TS3310 tape libraries web interface and (NOAA CIRT)