CVE-2024-0169

Vulnerability

Dell Unity, versions 5.3 and prior, contain an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability. The flaw resides in the web-based management interface, where user-supplied input is not properly sanitized before being included in generated web pages. This allows an attacker to inject arbitrary HTML or JavaScript code that will be executed in the context of a legitimate user's session when the page is viewed. Affected products include Dell Unity, Dell Unity VSA, and Dell Unity XT running software versions prior to 5.4 [1].

Exploitation

A low-privileged attacker with network access to the Dell Unity management interface can exploit this vulnerability by crafting a malicious payload and injecting it into a vulnerable input field or parameter. No authentication is required beyond the low-privileged account. The attacker does not need to trick a victim into clicking a link, as the injected script is stored on the server. When an administrator or other user accesses the affected page, the script executes automatically, making this a stored cross-site scripting attack [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to information exposure, including theft of session cookies, access tokens, or other sensitive data displayed on the page. The attacker gains the ability to perform actions on behalf of the victim within the web interface, potentially escalating privileges or exfiltrating confidential information [1].

Mitigation

Dell has released version 5.4 of Unity, Unity VSA, and Unity XT which addresses this vulnerability. Users are advised to upgrade to the latest software version as soon as possible. There is no workaround available for this issue. Additional mitigation steps include restricting network access to the management interface and following the principle of least privilege for user accounts [1].