CVE-2017-14374
https://notcve.org/view.php?id=CVE-2017-14374
The SMI-S service in Dell Storage Manager versions earlier than 16.3.20 (aka 2016 R3.20) is protected using a hard-coded password. A remote user with the knowledge of the password might potentially disable the SMI-S service via HTTP requests, affecting storage management and monitoring functionality via the SMI-S interface. This issue, aka DSM-30415, only affects a Windows installation of the Data Collector (not applicable to the virtual appliance). El servicio SMI-S en Dell Storage Manager en versiones anteriores a la 16.3.20 (también conocida como 2016 R3.20) está protegido mediante el uso de una contraseña embebida. Un usuario remoto que conozca la contraseña podría deshabilitar el servicio SMI-S mediante peticiones HTTP. • http://topics-cdn.dell.com/pdf/storage-sc2000_release%20notes24_en-us.pdf • CWE-798: Use of Hard-coded Credentials •
CVE-2015-7838 – Solarwinds Storage Manager ProcessFileUpload.jsp File Upload Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2015-7838
ProcessFileUpload.jsp in SolarWinds Storage Manager before 6.2 allows remote attackers to upload and execute arbitrary files via unspecified vectors. ProcessFileUpload.jsp en SolarWinds Storage Manager en versiones anteriores a 6.2 permite a atacantes remotos cargar y ejecutar archivos arbitrarios a través de vectores no especificados. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Solarwinds Storage Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within ProcessFileUpload.jsp within the handling of file uploads. The issue lies in the failure to sanitize the files uploaded, allowing them to be placed within directories accessible through the service. • http://www.solarwinds.com/documentation/srm/docs/releasenotes/releasenotes.htm http://www.zerodayinitiative.com/advisories/ZDI-15-460 • CWE-20: Improper Input Validation •