CVE-2020-29496

Vulnerability

Dell Wyse Management Suite versions prior to 3.1 contain a stored cross-site scripting (XSS) vulnerability in the Enduser creation functionality [1]. A remote authenticated user with high privileges can inject malicious HTML or JavaScript code while creating an Enduser. The injected payload is stored on the server and later executed when victim users access the submitted data through their browsers.

Exploitation

An attacker must have network access to the Wyse Management Suite, valid authentication credentials, and high privileges (e.g., administrator role). The attacker crafts a malicious payload during the Enduser creation process. When other users (including those with lower privileges) view the affected Enduser data via their web browsers, the stored script executes in the context of the vulnerable application.

Impact

Successful exploitation allows the attacker to execute arbitrary HTML or JavaScript in the victim's browser within the Wyse Management Suite session. This can lead to disclosure of sensitive information, session hijacking, or other client-side attacks. The CVSS v3.1 base score is 4.8 (Medium) with vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating a scope change and low impact on confidentiality and integrity [1].

Mitigation

The vulnerability is fixed in Dell Wyse Management Suite version 3.1 [1]. Users should upgrade to version 3.1 or later. No workarounds are documented in the available references. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.