-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-043 Product: IBM TS4500 Tape Library (Web GUI) Manufacturer: IBM Affected Version(s): Firmware Version 1.11.0.0-D00.00 Tested Version(s): Firmware Version 1.11.0.0-D00.00 Vulnerability Type: Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2025-06-17 Solution Date: 2025-09-23 Public Disclosure: 2025-10-21 CVE Reference: CVE-2025-36088 Author of Advisory: Florian Holley, SySS Cyber Security GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The IBM TS4500 Tape Library is a high-capacity tape backup solution. The manufacturer describes the product as follows (see [1]): "The IBM TS4500 Tape Library is a next-generation tape solution that offers higher storage density and better integrated management than previous solutions." Due to insufficient input sanitization, the web GUI is vulnerable to HTML injection and cross-site scripting (XSS) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Under the "Actions" menu in the top left of the web GUI, the option "End of Call" is available even to read-only ("Monitor" role) users. This action opens a dialog in which the user can enter a description. This input is not sanitized, so that any HTML and JavaScript input will be executed by the client's browser. Moreover, input is stored on the server side and displayed to all users in the "Events" page. The Events page does not immediately execute the injected code; the victim needs to open the item, e.g. by double-clicking the item. Since the Events page only displays a short part of the input, an attacker can easily hide the malicious code by prepending some textual information that lures the victim to open the item. The tests were conducted with the Monitor role, which is a read-only user. It is possible that other input fields, which were not accessible during the tests, are also affected. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Enter any HTML or JavaScript code in the description field, e.g.: Please have a look at this! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: IBM provided a security fix for affected versions. Please check the corresponding IBM Security Bulletin (see [2]) for further information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-06-12: Vulnerability discovered 2025-06-17: Vulnerability reported to manufacturer 2025-09-23: Security update released by manufacturer 2025-10-21: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] IBM Redbook manual (pdf) IBM TS4500 R11 Tape Library Guide https://www.redbooks.ibm.com/redbooks/pdfs/sg248235.pdf [2] IBM Security Bulletin: TS4500 Tape Library/Diamondback Tape Library addresses security vulnerability CVE-2025-36088 https://www.ibm.com/support/pages/node/7242263 [3] SySS Security Advisory SYSS-2025-043 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-043.txt [4] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Florian Holley of SySS Cyber Security GmbH. E-Mail: florian.holley@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Florian_Holley.asc PGP-Fingerprint: 52D9 B795 984F 6C67 1490 6F36 1171 89EA ACBC 4E9C ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE0fCgNfBs5nXNuQUU2aS/ajStTasFAmj1/BUACgkQ2aS/ajSt TauW2Q//akHogY0cuRzwNSO/98Dj1RV0FAcs81BCYMZ7aZcwmZ+Oxwc75s7od51B Ceqj5nbjp7hfY3Hpy1LXJ6MlRmefunTYqehti7xX6C4lXFp7RCrOx5odOAIsle8g x14HQJtbjtBK0u8v+c3hJP5mcc1u4rEKomhucxzIZm9QOrBSl6CMAZUeABNdoWZx RziwfK5Vos4f1SM07NVZJjhh/lE6YfJ/LM7fhTRUHMet4Rsy3bfCpq4jReCVa6jD ySEtarTBpHTQR+KHTIgTATQk4pXH1hXctXUIvJMsY22bC1w9E8AZyQJMgImkpkau qsYd6sIJH1gTHa4OmDeK9xzgDhdIKBGrG2kaUr3FRRnkuexZus8Hb1mv/akhz6R6 tyBF+z4bkk83G2i6eA++QKj9Q7pdwAlXMz1bYboYrVCr8Xnp9+KqgipszpwpdL54 28VEHCvcFYQR4oMHtSpxgp0bdNk002t8/me4RMzmqrWFHRru+yemb4MzVQfaYUI8 mw7nXcRtjzW2ZQNqThwwfrJr5DBy7RgLoyAEh7PufZRdVZQ0JQZ9EO6lFFhZpICY ZHQhe7mgDA+gcaAJbjqCSxK0WNhY+z4DQ3MIMP3FJ9U7UHrnDRxZz/Lc740Ujb9x sun0szKJUd3ivfuN1jeay98tIt57lJZYzm0tq9wPIJbyDaGsUfY= =YZDl -----END PGP SIGNATURE-----