CVE-2025-27693

Vulnerability

Dell Wyse Management Suite (WMS) versions prior to WMS 5.1 contain an Improper Neutralization of Input During Web Page Generation vulnerability (Cross-site Scripting) in the proprietary code. The flaw arises from insufficient input validation or output encoding, allowing an attacker to inject arbitrary web scripts or HTML into the application's web pages. The affected versions are all WMS releases before WMS 5.1. [1]

Exploitation

An attacker requires high privileges (e.g., an administrator-level account) and remote access to the WMS web management interface. Exploitation does not require user interaction. The attacker would inject malicious script payloads via user-controllable input fields or parameters that are later reflected or stored and served to other users. The exact attack vector is not detailed in the available reference, but the vulnerability is classified as CWE-79 (XSS). [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of a legitimate user's browser session. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) indicates a high impact on confidentiality but no impact on integrity or availability. This means the attacker could potentially access sensitive information displayed on the affected pages, such as session tokens or management data, but cannot modify data or cause denial of service. The overall severity is rated as HIGH with a base score of 4.9. [1]

Mitigation

Dell has released WMS version 5.1 to address this vulnerability. All users should upgrade to WMS 5.1 or later. No workarounds are mentioned in the available reference. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date (2025-04-02). [1]