Vulnerability CVE-2018-1246


Published: 2018-09-28

Description:
Dell EMC Unity and UnityVSA contains reflected cross-site scripting vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability by tricking a victim application user to supply malicious HTML or Java Script code to Unisphere, which is then reflected back to the victim and executed by the web browser.

Type:

CWE-79

(Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))

Vendor: DELL
Product: Emc unityvsa operating environment 
Version:
4.2.3.9670635
4.2.2.9632250
4.2.1.9535982
4.2.0.9476662
4.2.0.9392909
4.1.2.9257522
4.1.1.9138882
4.1.0.9058043
4.1.0.8959731
4.1.0.8940590
4.0.2.8627717
4.0.1.8404134
4.0.1.8320161
4.0.1.8194551
4.0.0.7329527
Product: Emc unity operating environment 
Version:
4.2.3.9670635
4.2.2.9632250
4.2.1.9535982
4.2.0.9476662
4.2.0.9392909
4.1.2.9257522
4.1.1.9138882
4.1.0.9058043
4.1.0.8959731
4.1.0.8940590
4.0.2.8627717
4.0.1.8404134
4.0.1.8320161
4.0.1.8194551
4.0.0.7329527

CVSS2 => (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

 References:
https://seclists.org/fulldisclosure/2018/Sep/30

Related CVE
CVE-2019-3744
Dell/Alienware Digital Delivery versions prior to 4.0.41 contain a privilege escalation vulnerability. A local non-privileged malicious user could exploit a Universal Windows Platform application by manipulating the install software package feature w...
CVE-2019-3742
Dell/Alienware Digital Delivery versions prior to 3.5.2013 contain a privilege escalation vulnerability. A local non-privileged malicious user could exploit a named pipe that performs binary deserialization via a process hollowing technique to inject...
CVE-2019-3717
Select Dell Client Commercial and Consumer platforms contain an Improper Access Vulnerability. An unauthenticated attacker with physical access to the system could potentially bypass intended Secure Boot restrictions to run unsigned and untrusted cod...
CVE-2019-3741
Dell EMC Unity and UnityVSA versions prior to 5.0.0.0.5.116 contain a plain-text password storage vulnerability. A Unisphere user?s (including the admin privilege user) password is stored in a plain text in Unity Data Collection bundle (logs files fo...
CVE-2019-3734
Dell EMC Unity and UnityVSA versions prior to 5.0.0.0.5.116 contain an improper authorization vulnerability in NAS Server quotas configuration. A remote authenticated Unisphere Operator could potentially exploit this vulnerability to edit quota confi...
CVE-2019-12280
PC-Doctor Toolbox before 7.3 has an Uncontrolled Search Path Element.
CVE-2019-3735
Dell SupportAssist for Business PCs version 2.0 and Dell SupportAssist for Home PCs version 2.2, 2.2.1, 2.2.2, 2.2.3, 3.0, 3.0.1, 3.0.2, 3.1, 3.2, and 3.2.1 contain an Improper Privilege Management Vulnerability. A malicious local user can exploit th...
CVE-2019-3737
Dell EMC Avamar ADMe Web Interface 1.0.50 and 1.0.51 are affected by an LFI vulnerability which may allow a malicious user to download arbitrary files from the affected system by sending a specially crafted request to the Web Interface application.

Copyright 2019, cxsecurity.com

 

Back to Top