Summary
Dell iDRAC6 and iDRAC7 are prone to a cross-site scripting vulnerability because they fails to properly sanitize user-supplied input.
Impact
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks.
Solution
Firmware updates will be posted to the Dell support page when available.
Users should download the appropriate update for the version of iDRAC they have installed:
iDRAC6 'monolithic' (rack and towers) - FW version 1.96 targeted release date is Q4CY13.
iDRAC7 all models - FW version 1.46.45
target release date is mid/late September 2013.
Insight
Dell iDRAC 6 and Dell iDRAC 7 administrative web interface login page can allow remote attackers to inject arbitrary script via the vulnerable query string parameter ErrorMsg.
Affected
Dell iDRAC6 1.95 and previous versions
Dell iDRAC7 1.40.40 and previous versions
NOTE: iDRAC6 'modular' (blades) are not affected
no updates are required.
Detection
Check the firmware version.
References
Severity
Classification
-
CVE CVE-2013-3589 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities
- Apache ActiveMQ 'admin/queueBrowse' Cross Site Scripting Vulnerability
- Apache Archiva Home Page Cross-Site Scripting vulnerability
- Adiscon LogAnalyzer 'highlight' Parameter Cross Site Scripting Vulnerability
- Apache Tomcat source.jsp malformed request information disclosure
- Adobe ColdFusion Multiple Path Disclosure Vulnerabilities