CVE-2021-21543

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Dell EMC iDRAC9 versions prior to 4.40.00.00. The issue allows a remote authenticated user with high privileges to inject arbitrary HTML or JavaScript code through multiple affected parameters. The injected content is then stored and later rendered in the web browser of victim users accessing the submitted data, leading to script execution in the context of the vulnerable application [1].

Exploitation

To exploit this vulnerability, an attacker must be authenticated to the iDRAC web interface and possess high privileges. The attacker then inputs malicious payloads into specific parameters that are not properly sanitized. When other users (or the attacker themselves viewing the stored data) load the affected page in their browser, the stored script executes automatically, without requiring any additional user interaction beyond normal browsing [1].

Impact

Successful exploitation allows the attacker to execute arbitrary HTML/JavaScript code in the victim's browser within the iDRAC web interface context. This can lead to disclosure of session tokens, manipulation of page content, or further attacks against the victim user. The impact is limited to the web application scope, with a CVSS v3.1 base score of 4.8 (Medium), reflecting the requirement of high privileges and user interaction for the attack [1].

Mitigation

Dell has released iDRAC9 version 4.40.00.00 which resolves this vulnerability. Users should update their iDRAC firmware as soon as possible. No workarounds are provided for versions prior to the fixed release. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].