CVE-2023-43071

Vulnerability

Dell SmartFabric Storage Software versions v1.4.0 and prior are affected by HTML injection and CSV formula injection vulnerabilities in the GUI. These flaws can be escalated to cross-site scripting (XSS) attacks. The vulnerabilities exist in the HTML pages of the web interface. [1]

Exploitation

A remote authenticated attacker can exploit these injection issues by crafting malicious input that is not properly sanitized. The attacker must have valid credentials to access the GUI. The injection can be performed via HTML or CSV formula fields, leading to execution of arbitrary scripts in the context of the victim's browser session. [1]

Impact

Successful exploitation allows the attacker to perform various injection attacks, including cross-site scripting (XSS). This could lead to session hijacking, defacement, or redirection to malicious sites. The attacker gains the ability to execute arbitrary JavaScript in the context of the SmartFabric Storage Software GUI. [1]

Mitigation

Dell has released SmartFabric Storage Software version v1.4.1 to address these vulnerabilities. Users should upgrade to v1.4.1 or later. The update is available for Debian package, ESXi, and Linux KVM deployments. No workarounds are documented. [1]