-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-042 Product: IBM TS4500 Tape Library (Web GUI) Manufacturer: IBM Affected Version(s): Firmware Version 1.11.0.0-D00.00 Tested Version(s): Firmware Version 1.11.0.0-D00.00 Vulnerability Type: Prototype Pollution (CWE-1321) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2025-06-17 Solution Date: 2025-09-23 Public Disclosure: 2025-10-21 CVE Reference: CVE-2021-23450 Author of Advisory: Florian Holley, SySS Cyber Security GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The IBM TS4500 Tape Library is a high-capacity tape backup solution. The manufacturer describes the product as follows (see [1]): "The IBM TS4500 Tape Library is a next-generation tape solution that offers higher storage density and better integrated management than previous solutions." The web GUI uses an outdated and vulnerable version of the JavaScript library "dojo.js". The version is vulnerable to prototype pollution. When executed in the client's browser, it can be used to facilitate cross-site scripting (XSS) attacks. If the vulnerable code is also used on the server, the vulnerability can lead to remote code execution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The application loads the JavaScript library "dojo.js". The version information reveals that an old version of dojo.js is used (version 1.8 patch 2). This version is vulnerable to prototype pollution. By injecting arbitrary properties to global JavaScript objects, attackers could use this vulnerability for XSS attacks, or, if the code is executed on the server, for remote code execution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Open the browser's development tools and navigate to the Console tab. Enter the following code to check the version: dojo.version Output: {major:1, minor:8, patch:2,...} Enter the following code to verify the vulnerability: require(["dojo/request/util"], function(lang) { var malicious_payload = '{"__proto__":{"vulnerable":"Polluted"}}'; var a = { b: "c", d: "e" }; var newOjb = lang.deepCopy(a, JSON.parse(malicious_payload)); console.log({}.vulnerable); }) Output when vulnerable: "Polluted" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: IBM provided a security fix for affected versions. Please check the corresponding IBM Security Bulletin (see [4]) for further information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-06-12: Vulnerability discovered 2025-06-17: Vulnerability reported to manufacturer 2025-09-23: Security update released by manufacturer 2025-10-21: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] IBM Redbook manual (pdf) IBM TS4500 R11 Tape Library Guide https://www.redbooks.ibm.com/redbooks/pdfs/sg248235.pdf [2] CVE-2021-23450, Prototype Pollution https://www.cve.org/CVERecord?id=CVE-2021-23450 [3] SySS Security Advisory SYSS-2025-042 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-042.txt [4] IBM Security Bulletin: TS4500 Tape Library/Diamondback Tape Library addresses security vulnerability CVE-2021-23450 https://www.ibm.com/support/pages/node/7242299 [5] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Florian Holley of SySS Cyber Security GmbH. E-Mail: florian.holley@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Florian_Holley.asc PGP-Fingerprint: 52D9 B795 984F 6C67 1490 6F36 1171 89EA ACBC 4E9C ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAmj1+/MACgkQ2aS/ajSt TavaCQ//SJFbN6oeR6+XYPHpgKg7avYRIZ6JExDQJRhgZ7Jlmq7YMZ3oVFT8C2dE iuSujsYtdeXJPa+/mLln/oOE1vqV06IFJOJPwzco2Y9okJuoRkaq6MK3ONEaf6gY lhWAbdOZ9kkkHiG++0WLjGJ9DtKjBuiaglnLQ9pUEB6gVQRXaNPJB9Kjk7dEyWIY Bl1wkMCeGXH9Lk0Dq6KzAVd+BNFbX2kZWad8G+MSz69OwF6gjD63BNB+6/mpwe8c kj5Wm0eO/lvysSMEgf+I8wPIQ1RSs0Lv2DMQhhxYlWhynesE0PzOu09saf8zVJHi 3yrIlJEVw3rxCBUm8i0NyriJXsZqh/CvuQNi7rbz6KQSaHNfuBZkzOgRPC9mOLMW gdFQRzRTW7rA1A2V6EtgD99AdL4OoE331J0N1fILMhPlY+RG5vT5UpO3aqfytpGk XRnP+DceLB0hPfD83ZoKmzLEmE5SxhoVqfH22K039lJDKMN8MG5Ga2Ou8g30fkJv Jh95iADlHjkepde5HEa19QwLm69G73bXSPu0CQeW/blKyO6kJbKauhnuJ9PC/3jo nXSFG+ukezXaNwGZxq2Muf3vi+C3FYfpurP2+UUYy2mxAicpZLVb0OgpKLPE4EXg C27Nxb6OPwgcw/ibdw4NS6oBjx1ZXoxsEkPgbv0ShStUCSV8Czs= =CQ2t -----END PGP SIGNATURE-----