CVE-2024-30476

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in the PowerStore Manager web interface of Dell PowerStore (PowerStoreT OS) versions prior to 4.0.0.0-2284811 [1]. The flaw allows a remote authenticated attacker with low privileges to inject malicious scripts into the application, which are then stored and later served to other users [1].

Exploitation

An attacker must have valid low-privileged credentials and access to the PowerStore Manager web console. The attacker inserts crafted script payloads into unsuspecting input fields or other user-controllable data that are not properly sanitized by the application. When a victim (potentially an administrator) views the affected page, the injected script executes within their browser session [1].

Impact

Successful exploitation leads to arbitrary JavaScript execution in the victim's browser context. Depending on the victim's privileges (e.g. an admin with high permissions), the attacker could steal session cookies, perform actions as the victim, access sensitive configuration data, or deface the management interface [1].

Mitigation

Dell has released PowerStoreT OS version 4.0.0.0-2284811 which addresses this vulnerability [1]. Users should upgrade to this version or later. There is no known workaround; upgrading is the recommended course of action [1].