Arslan Masood

**Name of the Vulnerable Software and Affected Versions** SMU versions prior to 14.8.7825.01 **Description** The issue allows unintended information disclosure through URL manipulation. Authenticated users in Storage, Server, or combined Server+Storage administrative roles can access SMU configuration backup, which would normally be barred to those specific administrative roles. **Recommendations** For SMU versions prior to 14.8.7825.01, update to version 14.8.7825.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the SMU configuration backup for users in Storage, Server, or combined Server+Storage administrative roles until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Hitachi Vantara HNAS versions prior to 14.8.7825.01 **Description** The issue allows authenticated users to access sensitive information through Insecure Direct Object Reference (IDOR). This can be achieved by manipulating URLs, enabling users in certain administrative roles to download confidential files, including HNAS configuration backup and diagnostic data, that would normally be restricted from their role. The vulnerability is related to authorization procedure weaknesses, potentially allowing remote attackers to gain unauthorized access to protected information. **Recommendations** For versions prior to 14.8.7825.01, consider restricting access to sensitive files and diagnostic data until a patch is available. As a temporary workaround, limit URL manipulation capabilities for authenticated users in Storage, Server, or combined Server+Storage administrative roles to minimize the risk of exploitation. Avoid using URL manipulation to access HNAS configuration backup and diagnostic data in affected versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.