Detections
Analytics

Dell iDRAC XSS (DSA-2021-073)

medium Nessus Plugin ID 148955

Language:

Synopsis

The remote host is affected by a cross site scripting vulnerability.

Description

Dell EMC iDRAC9 versions prior to 4.40.10.00 contain a reflected cross-site scripting vulnerability in the iDRAC9 web application. A remote authenticated malicious user with high privileges may potentially exploit these vulnerabilities to store malicious HTML or JavaScript code through multiple affected while generating a certificate. When victim users access the submitted data through their browsers, the malicious code gets executed by the web browser in the context of the vulnerable application.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the remote host to iDRAC9 firmware 4.40.10.00 or later.

See Also

http://www.nessus.org/u?d3c31d3d

Plugin Details

Severity: Medium

ID: 148955

File Name: drac_dsa-2021-073_xss.nasl

Version: 1.4

Type: remote

Family: CGI abuses

Published: 4/23/2021

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Low

Base Score: 3.5

Temporal Score: 2.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS Score Source: CVE-2021-21542

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/h:dell:idrac9

Required KB Items: installed_sw/iDRAC

Exploit Ease: No known exploits are available

Patch Publication Date: 4/14/2020

Vulnerability Publication Date: 4/14/2020

Reference Information

CVE: CVE-2021-21542

IAVA: 2021-A-0186