3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:S/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
27.6%
The version of IBM Tivoli Storage Manager (TSM) for Virtual Environments installed on the remote host is 6.3.x prior to 6.3.2.5, 6.4.x prior to 6.4.3.1, or 7.1.x prior to 7.1.3.0. It is, therefore, affected by a cross-site scripting (XSS) vulnerability due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted link, to execute script code in the user’s browser session.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(86324);
script_version("1.12");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/10/25");
script_cve_id("CVE-2015-1988");
script_bugtraq_id(76947);
script_name(english:"IBM TSM for Virtual Environments 6.3.x < 6.3.2.5 / 6.4.x < 6.4.3.1 / 7.1.x < 7.1.3.0 XSS");
script_summary(english:"Checks the version of TSM for Virtual Environments.");
script_set_attribute(attribute:"synopsis", value:
"A backup application installed on the remote host is affected by a
cross-site scripting vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of IBM Tivoli Storage Manager (TSM) for Virtual
Environments installed on the remote host is 6.3.x prior to 6.3.2.5,
6.4.x prior to 6.4.3.1, or 7.1.x prior to 7.1.3.0. It is, therefore,
affected by a cross-site scripting (XSS) vulnerability due to improper
validation of input before returning it to users. An unauthenticated,
remote attacker can exploit this, via a specially crafted link, to
execute script code in the user's browser session.");
script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21967532");
script_set_attribute(attribute:"solution", value:
"Upgrade to Tivoli Storage Manager for Virtual Environments version
6.3.2.5 / 6.4.3.1 / 7.1.3.0 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1988");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-1988");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/09/30");
script_set_attribute(attribute:"patch_publication_date", value:"2015/09/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/10/09");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:spectrum_protect_for_virtual_environments");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments_data_protection_for_vmware");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tivoli_storage_manager_virtual_environments_installed.nbin", "tivoli_storage_manager_virtual_environments_installed_linux.nbin");
script_require_keys("installed_sw/Tivoli Storage Manager for Virtual Environments");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("install_func.inc");
include("smb_func.inc");
app = 'Tivoli Storage Manager for Virtual Environments';
get_install_count(app_name:app, exit_if_zero:TRUE);
install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
version = install["version"];
path = install["path"];
hypervisor = install["Hypervisor"];
app += " for " + hypervisor;
if (hypervisor != "VMware")
audit(AUDIT_INST_VER_NOT_VULN, app, version);
if (version =~ "^6\.3\.")
fix = "6.3.2.5";
else if (version =~ "^6\.4\.")
fix = "6.4.3.1";
else if (version =~ "^7\.1\.")
fix = "7.1.3.0";
else
audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);
if (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)
audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);
port = kb_smb_transport();
set_kb_item(name:'www/0/XSS', value:TRUE);
if (report_verbosity > 0)
{
report =
'\n Hypervisor : ' + hypervisor +
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : ' + fix + '\n';
security_note(port:port, extra:report);
}
else security_note(port);
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | tivoli_storage_manager_for_virtual_environments | cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments | |
ibm | spectrum_protect_for_virtual_environments | cpe:/a:ibm:spectrum_protect_for_virtual_environments | |
ibm | tivoli_storage_manager_for_virtual_environments_data_protection_for_vmware | cpe:/a:ibm:tivoli_storage_manager_for_virtual_environments_data_protection_for_vmware |