Vulnerabilites related to dell - idrac6_monolithic
CVE-2018-1212 (GCVE-0-2018-1212)
Vulnerability from cvelistv5
Published
2018-07-02 17:00
Modified
2024-09-17 01:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Authenticated remote code execution command injection vulnerability.
Summary
The web-based diagnostics console in Dell EMC iDRAC6 (Monolithic versions prior to 2.91 and Modular all versions) contains a command injection vulnerability. A remote authenticated malicious iDRAC user with access to the diagnostics console could potentially exploit this vulnerability to execute arbitrary commands as root on the affected iDRAC system.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ► | Dell EMC | iDRAC6 (Monolithic) |
Version: unspecified < 2.91 |
||||||
|
|||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:51:48.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://en.community.dell.com/techcenter/extras/m/white_papers/20487494"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "iDRAC6 (Monolithic)",
"vendor": "Dell EMC",
"versions": [
{
"lessThan": "2.91",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
},
{
"product": "iDRAC6 (Modular)",
"vendor": "Dell EMC",
"versions": [
{
"lessThanOrEqual": "3.85",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Dell EMC would like to thank Arseniy for reporting this issue to us."
}
],
"datePublic": "2018-06-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The web-based diagnostics console in Dell EMC iDRAC6 (Monolithic versions prior to 2.91 and Modular all versions) contains a command injection vulnerability. A remote authenticated malicious iDRAC user with access to the diagnostics console could potentially exploit this vulnerability to execute arbitrary commands as root on the affected iDRAC system."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Authenticated remote code execution command injection vulnerability.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-07-02T16:57:01",
"orgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"shortName": "dell"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://en.community.dell.com/techcenter/extras/m/white_papers/20487494"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authenticated remote code execution in iDRAC 6",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security_alert@emc.com",
"DATE_PUBLIC": "2018-06-26T05:00:00.000Z",
"ID": "CVE-2018-1212",
"STATE": "PUBLIC",
"TITLE": "Authenticated remote code execution in iDRAC 6"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "iDRAC6 (Monolithic)",
"version": {
"version_data": [
{
"affected": "\u003c",
"version_affected": "\u003c",
"version_value": "2.91"
}
]
}
},
{
"product_name": "iDRAC6 (Modular)",
"version": {
"version_data": [
{
"affected": "\u003c=",
"version_affected": "\u003c=",
"version_value": "3.85"
}
]
}
}
]
},
"vendor_name": "Dell EMC"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Dell EMC would like to thank Arseniy for reporting this issue to us."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The web-based diagnostics console in Dell EMC iDRAC6 (Monolithic versions prior to 2.91 and Modular all versions) contains a command injection vulnerability. A remote authenticated malicious iDRAC user with access to the diagnostics console could potentially exploit this vulnerability to execute arbitrary commands as root on the affected iDRAC system."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Authenticated remote code execution command injection vulnerability."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://en.community.dell.com/techcenter/extras/m/white_papers/20487494",
"refsource": "CONFIRM",
"url": "http://en.community.dell.com/techcenter/extras/m/white_papers/20487494"
}
]
},
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c550e75a-17ff-4988-97f0-544cde3820fe",
"assignerShortName": "dell",
"cveId": "CVE-2018-1212",
"datePublished": "2018-07-02T17:00:00Z",
"dateReserved": "2017-12-06T00:00:00",
"dateUpdated": "2024-09-17T01:37:02.877Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-8272 (GCVE-0-2014-8272)
Vulnerability from cvelistv5
Published
2014-12-19 11:00
Modified
2024-08-06 13:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:10:50.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/BLUU-9RDQHM"
},
{
"name": "35770",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/35770"
},
{
"name": "VU#843044",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/843044"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-12-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-02-02T15:57:00",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.kb.cert.org/vuls/id/BLUU-9RDQHM"
},
{
"name": "35770",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/35770"
},
{
"name": "VU#843044",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/843044"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2014-8272",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.kb.cert.org/vuls/id/BLUU-9RDQHM",
"refsource": "CONFIRM",
"url": "http://www.kb.cert.org/vuls/id/BLUU-9RDQHM"
},
{
"name": "35770",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/35770"
},
{
"name": "VU#843044",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/843044"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2014-8272",
"datePublished": "2014-12-19T11:00:00",
"dateReserved": "2014-10-12T00:00:00",
"dateUpdated": "2024-08-06T13:10:50.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-3589 (GCVE-0-2013-3589)
Vulnerability from cvelistv5
Published
2013-09-24 10:00
Modified
2024-09-16 18:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the login page in the Administrative Web Interface on Dell iDRAC6 monolithic devices with firmware before 1.96 and iDRAC7 devices with firmware before 1.46.45 allows remote attackers to inject arbitrary web script or HTML via the ErrorMsg parameter.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:14:56.448Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/BLUU-997QVW"
},
{
"name": "VU#920038",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/920038"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the login page in the Administrative Web Interface on Dell iDRAC6 monolithic devices with firmware before 1.96 and iDRAC7 devices with firmware before 1.46.45 allows remote attackers to inject arbitrary web script or HTML via the ErrorMsg parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-09-24T10:00:00Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.kb.cert.org/vuls/id/BLUU-997QVW"
},
{
"name": "VU#920038",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/920038"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cert@cert.org",
"ID": "CVE-2013-3589",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the login page in the Administrative Web Interface on Dell iDRAC6 monolithic devices with firmware before 1.96 and iDRAC7 devices with firmware before 1.46.45 allows remote attackers to inject arbitrary web script or HTML via the ErrorMsg parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.kb.cert.org/vuls/id/BLUU-997QVW",
"refsource": "CONFIRM",
"url": "http://www.kb.cert.org/vuls/id/BLUU-997QVW"
},
{
"name": "VU#920038",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/920038"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2013-3589",
"datePublished": "2013-09-24T10:00:00Z",
"dateReserved": "2013-05-21T00:00:00Z",
"dateUpdated": "2024-09-16T18:23:58.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2014-12-19 11:59
Modified
2025-04-12 10:46
Severity ?
Summary
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | http://www.exploit-db.com/exploits/35770 | Exploit | |
| cret@cert.org | http://www.kb.cert.org/vuls/id/843044 | Third Party Advisory, US Government Resource | |
| cret@cert.org | http://www.kb.cert.org/vuls/id/BLUU-9RDQHM | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.exploit-db.com/exploits/35770 | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/843044 | Third Party Advisory, US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/BLUU-9RDQHM | Third Party Advisory, US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dell | idrac6_modular | * | |
| dell | idrac7 | * | |
| intel | ipmi | 1.5 | |
| dell | idrac6_monolithic | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dell:idrac6_modular:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A460E054-878C-4E63-945F-7FC03D07E302",
"versionEndIncluding": "3.60",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dell:idrac7:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A4DBDA63-E3CD-486A-864A-9C9B078ACC97",
"versionEndIncluding": "1.56.55",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:intel:ipmi:1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "21DFF96C-EBE3-4CAC-B281-50C0A2728C10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dell:idrac6_monolithic:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B3D463D1-92B9-481C-BC39-3E5EDA630A3E",
"versionEndIncluding": "1.97",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack."
},
{
"lang": "es",
"value": "La funcionalidad IPMI 1.5 en Dell iDRAC6 modular anterior a 3.65, iDRAC6 monol\u00edtico anterior a 1.98 e iDRAC7 anterior a 1.57.57 no selecciona correctamente los valores ID de sesi\u00f3n, lo que facilita a atacantes remotos ejecutar comandos arbitrarios a trav\u00e9s de ataques de fuerza bruta."
}
],
"evaluatorComment": "\u003ca href=\"http://cwe.mitre.org/data/definitions/330.html\"\u003eCWE-330: Use of Insufficiently Random Values\u003c/a\u003e",
"id": "CVE-2014-8272",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-12-19T11:59:05.290",
"references": [
{
"source": "cret@cert.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/35770"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/843044"
},
{
"source": "cret@cert.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/BLUU-9RDQHM"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/35770"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/843044"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/BLUU-9RDQHM"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-07-02 17:29
Modified
2024-11-21 03:59
Severity ?
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
The web-based diagnostics console in Dell EMC iDRAC6 (Monolithic versions prior to 2.91 and Modular all versions) contains a command injection vulnerability. A remote authenticated malicious iDRAC user with access to the diagnostics console could potentially exploit this vulnerability to execute arbitrary commands as root on the affected iDRAC system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dell | idrac6_modular | * | |
| dell | idrac6_monolithic | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dell:idrac6_modular:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5A187ADC-E596-4B72-B8D6-D502702B5FC4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:dell:idrac6_monolithic:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9E064ABF-3293-47EB-8D9F-860EBC88E64B",
"versionEndExcluding": "2.91",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The web-based diagnostics console in Dell EMC iDRAC6 (Monolithic versions prior to 2.91 and Modular all versions) contains a command injection vulnerability. A remote authenticated malicious iDRAC user with access to the diagnostics console could potentially exploit this vulnerability to execute arbitrary commands as root on the affected iDRAC system."
},
{
"lang": "es",
"value": "La consola web de diagn\u00f3stico en Dell EMC iDRAC6 (versiones Monolithic anteriores a la 2.91 y Modular en todas las versiones) contiene una vulnerabilidad de inyecci\u00f3n de comandos. Un usuario iDRAC autenticado, remoto y malicioso con acceso a la consola de diagn\u00f3stico podr\u00eda explotar esta vulnerabilidad para ejecutar comandos arbitrarios como root en el sistema iDRAC afectado."
}
],
"id": "CVE-2018-1212",
"lastModified": "2024-11-21T03:59:24.007",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "security_alert@emc.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-07-02T17:29:00.257",
"references": [
{
"source": "security_alert@emc.com",
"tags": [
"Vendor Advisory"
],
"url": "http://en.community.dell.com/techcenter/extras/m/white_papers/20487494"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://en.community.dell.com/techcenter/extras/m/white_papers/20487494"
}
],
"sourceIdentifier": "security_alert@emc.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-09-24 10:35
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the login page in the Administrative Web Interface on Dell iDRAC6 monolithic devices with firmware before 1.96 and iDRAC7 devices with firmware before 1.46.45 allows remote attackers to inject arbitrary web script or HTML via the ErrorMsg parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cret@cert.org | http://www.kb.cert.org/vuls/id/920038 | US Government Resource | |
| cret@cert.org | http://www.kb.cert.org/vuls/id/BLUU-997QVW | US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/920038 | US Government Resource | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.kb.cert.org/vuls/id/BLUU-997QVW | US Government Resource |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| dell | idrac6_firmware | * | |
| dell | idrac6_firmware | 1.0 | |
| dell | idrac6_firmware | 1.1 | |
| dell | idrac6_firmware | 1.2 | |
| dell | idrac6_firmware | 1.3 | |
| dell | idrac6_firmware | 1.5 | |
| dell | idrac6_firmware | 1.6 | |
| dell | idrac6_firmware | 1.8 | |
| dell | idrac6_monolithic | - | |
| dell | idrac7_firmware | * | |
| dell | idrac7_firmware | 1.00.00 | |
| dell | idrac7_firmware | 1.06.06 | |
| dell | idrac7_firmware | 1.10.10 | |
| dell | idrac7_firmware | 1.20.20 | |
| dell | idrac7_firmware | 1.23.23 | |
| dell | idrac7_firmware | 1.37.35 | |
| dell | idrac7 | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dell:idrac6_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4D9D5B45-9540-438A-9865-C2BC1FABECE8",
"versionEndIncluding": "1.95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac6_firmware:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8165B5AB-8EC5-409A-9B82-2FE1C801E93E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac6_firmware:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E0432217-2FD7-49B4-8CB3-F9CD107F321B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac6_firmware:1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3CE3EFC4-0E43-4474-95A0-EE010E4432EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac6_firmware:1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "88F80B6F-D37C-4EF8-9307-548289B8D0E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac6_firmware:1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "37C84DCC-B988-41FC-83FF-3265FBD20436",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac6_firmware:1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "282B62D0-949E-4664-AFE0-19A32AAE8583",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac6_firmware:1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D5272179-2DFF-4880-9FA5-4AC95A584B62",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dell:idrac6_monolithic:-:*:*:*:*:*:*:*",
"matchCriteriaId": "1178ECF0-A8BD-4236-83D8-5F39CD8BF6F2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:dell:idrac7_firmware:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93014C51-F915-4635-A479-EEE4FC3816A1",
"versionEndIncluding": "1.40.40",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac7_firmware:1.00.00:*:*:*:*:*:*:*",
"matchCriteriaId": "E072CD73-1FB4-46A5-96B4-C9440ACCD2B5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac7_firmware:1.06.06:*:*:*:*:*:*:*",
"matchCriteriaId": "5F7E3E21-56E5-4F13-AE6C-6BD2A5D57FEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac7_firmware:1.10.10:*:*:*:*:*:*:*",
"matchCriteriaId": "F8E06108-77C9-4F9C-A0B1-BEDC5C23D862",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac7_firmware:1.20.20:*:*:*:*:*:*:*",
"matchCriteriaId": "3542F818-1A1F-4B75-BA24-E5699F602301",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac7_firmware:1.23.23:*:*:*:*:*:*:*",
"matchCriteriaId": "539A6346-747E-4ACA-B048-3C7DEF6CC2AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:dell:idrac7_firmware:1.37.35:*:*:*:*:*:*:*",
"matchCriteriaId": "32A7E775-FB16-4031-B85B-F0944251F4B6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:dell:idrac7:-:*:*:*:*:*:*:*",
"matchCriteriaId": "6B004193-6FCE-4E0C-9B3F-D56B4605701B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the login page in the Administrative Web Interface on Dell iDRAC6 monolithic devices with firmware before 1.96 and iDRAC7 devices with firmware before 1.46.45 allows remote attackers to inject arbitrary web script or HTML via the ErrorMsg parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad XSS en la p\u00e1gina de login del interfaz de administraci\u00f3n web en los dispositivos monol\u00edticos Dell iDRAC6 con firmware anterior a v1.46.45 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a trav\u00e9s del par\u00e1metro \"ErrorMsg\"."
}
],
"id": "CVE-2013-3589",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-09-24T10:35:51.923",
"references": [
{
"source": "cret@cert.org",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/920038"
},
{
"source": "cret@cert.org",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/BLUU-997QVW"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/920038"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/BLUU-997QVW"
}
],
"sourceIdentifier": "cret@cert.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}