Vulnerability Note VU#920038
Dell iDRAC 6 and iDRAC 7 are vulnerable to a cross-site scripting (XSS) attack
Dell iDRAC 6 version 1.41, Dell iDRAC 7 version 1.40.40 and possibly earlier versions contain a reflected cross-site scripting (XSS) (CWE-79) vulnerability.
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Dell iDRAC 6 version 1.41 and Dell iDRAC 7 version 1.40.40's administrative web interface login page can allow remote attackers to inject arbitrary script via the vulnerable query string parameter ErrorMsg.
A remote unauthenticated attacker may be able to execute arbitrary script in the context of the user's browser.
We are currently unaware of a practical solution to this problem. Please consider the following workarounds.
Apply an Update
As a general good security practice, only allow connections from trusted hosts and networks. Note that restricting access does not prevent XSS attacks since the attack comes as an HTTP request from a legitimate user's host. Restricting access would prevent an attacker from accessing the Dell iDRAC web interface using stolen credentials from a blocked network location.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Dell Computer Corporation, Inc.||Affected||01 Jul 2013||23 Sep 2013|
CVSS Metrics (Learn More)
Thanks to Tudor Enache of Help AG Middle East for reporting this vulnerability.
This document was written by Adam Rauf.
- CVE IDs: CVE-2013-3589
- Date Public: 23 Sep 2013
- Date First Published: 23 Sep 2013
- Date Last Updated: 24 Sep 2013
- Document Revision: 23
If you have feedback, comments, or additional information about this vulnerability, please send us email.