CVE-2021-21581

Vulnerability

Dell EMC iDRAC9 versions prior to 5.00.00.00 contain a cross-site scripting (XSS) vulnerability in the web interface. An attacker can inject malicious HTML or JavaScript into a page rendered in the victim's browser. No authentication or special configuration is required to reach the vulnerable code path; the vulnerability is triggered by a crafted URL. [1]

Exploitation

A remote, unauthenticated attacker can exploit this vulnerability by tricking a victim into following a specially crafted link. The victim must be using a browser that can access the iDRAC9 web interface. No prior user interaction with the device is needed beyond clicking the malicious link. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary HTML or JavaScript in the victim's browser within the context of the iDRAC9 session. This can lead to integrity compromise (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) such as modifying displayed content or performing actions on behalf of an authenticated user. No direct information disclosure or remote code execution on the iDRAC itself is described. [1]

Mitigation

Dell has addressed the vulnerability in iDRAC9 firmware version 5.00.00.00 and later. Users should update their iDRAC9 firmware to that version or newer via the Dell support portal. No workarounds are provided; the only mitigation is to apply the fixed release. [1]