CVE-2024-22230

Vulnerability

Dell Unity, Dell Unity VSA, and Dell Unity XT versions prior to 5.4 contain a cross-site scripting (XSS) vulnerability in an unspecified web interface component. The vulnerability requires an authenticated attacker to inject malicious scripts into fields that are later rendered to other users without proper sanitization [1]. Affected software includes all Dell Unity family products running versions before 5.4 [1].

Exploitation

An attacker must first authenticate to the Dell Unity management interface. The attacker then injects crafted script payloads into input fields (such as configuration parameters or storage object names) that are viewable by other users. When a victim user (e.g., an administrator) views the affected page, the injected script executes in their browser context. No additional user interaction beyond viewing the page is required [1].

Impact

Successful exploitation enables the attacker to steal session cookies, perform actions as the victim (masquerading), or control the victim's browser. This can lead to unauthorized access to the management interface with the victim's privileges, potentially resulting in further compromise of the storage system [1].

Mitigation

Dell has released fixed firmware version 5.4, which resolves this vulnerability. Customers should upgrade to Unity OE version 5.4 or later as specified in Dell Security Advisory DSA-2024-042 [1]. No workarounds are documented; Dell recommends applying the update as soon as possible.