search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Dell OpenManage Server Administrator version 7.1.0.1 DOM-based XSS vulnerability

Vulnerability Note VU#950172

Original Release Date: 2013-01-09 | Last Revised: 2015-09-17

Overview

Dell OpenManage Server Administrator version 7.1.0.1 and earlier contains a DOM-based cross-site scripting vulnerability.

Description

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Dell OpenManage Server Administrator version 7.1.01 and earlier contains a DOM-based cross-site scripting vulnerability.

Example: https://www.example.com:1311/help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm?topic="></iframe><iframe src="javascript:alert(/xss/)

Note the affected file is located in multiple locations:
/help/sm/es/Output/wwhelp/wwhimpl/js/html/index_main.htm
/help/sm/ja/Output/wwhelp/wwhimpl/js/html/index_main.htm
/help/sm/de/Output/wwhelp/wwhimpl/js/html/index_main.htm
/help/sm/fr/Output/wwhelp/wwhimpl/js/html/index_main.htm
/help/sm/zh/Output/wwhelp/wwhimpl/js/html/index_main.htm
/help/hip/en/msgguide/wwhelp/wwhimpl/js/html/index_main.htm
/help/hip/en/msgguide/wwhelp/wwhimpl/common/html/index_main.htm

Impact

A remote attacker may be able to execute arbitrary script in the context of the end-user's browser session.

Solution

Apply an update

Dell has released OMSA 7.4 to address this vulnerability.

Restrict Access

The Dell OpenManage Server Administrator interface should not be Internet facing.

Vendor Information

The vulnerability reporter has confirmed that Dell OpenManage Server Administrator 6.5.0.1, 7.0.0.1 and 7.1.0.1 are affected by this vulnerability.

950172
Expand all

Dell Computer Corporation, Inc.

Notified:  November 20, 2012 Updated:  September 17, 2015

Statement Date:   April 01, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Updated:  January 10, 2013

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 5.0 AV:N/AC:L/Au:N/C:N/I:P/A:N
Temporal 3.6 E:U/RL:W/RC:UC
Environmental 1.4 CDP:LM/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Tenable Network Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: CVE-2012-6272
Date Public: 2013-01-09
Date First Published: 2013-01-09
Date Last Updated: 2015-09-17 19:55 UTC
Document Revision: 6

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.