CVE-2021-21580

Vulnerability

Dell EMC iDRAC8 versions prior to 2.80.80.80 and iDRAC9 versions prior to 5.00.00.00 contain a content spoofing / text injection vulnerability. A specially crafted URL can inject arbitrary text into the iDRAC web interface, allowing an attacker to present a customized message that may appear legitimate to users [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by crafting a malicious URL containing injected text and tricking a user into clicking the link (user interaction required). No prior authentication or network position is necessary beyond the ability to deliver the link to the victim. Once clicked, the iDRAC interface displays the attacker-controlled text [1].

Impact

Successful exploitation allows the attacker to display arbitrary text within the iDRAC web application, which can be used to phish users into believing the message is genuine. The CVSS v3.1 base score is 4.3 (Medium), with no impact on confidentiality or availability, only a low impact on integrity [1].

Mitigation

Dell has released firmware updates to address this vulnerability: iDRAC8 version 2.80.80.80 and iDRAC9 version 5.00.00.00. Users should update to these versions or later to mitigate the issue. No workarounds are documented; updating firmware is the recommended action [1].