CVE-2025-36577

Vulnerability

Dell Wyse Management Suite (WMS) versions prior to 5.2 contain an Improper Neutralization of Input During Web Page Generation vulnerability, commonly known as Cross-site Scripting (XSS) [1]. The issue exists in the proprietary code of WMS, where user-supplied input is not properly sanitized before being reflected in web pages, enabling script injection [1].

Exploitation

An attacker with high privileges (e.g., administrator-level access) and remote network access can exploit this vulnerability by crafting a malicious input that, when processed by the vulnerable WMS component, injects client-side scripts [1]. User interaction is required for successful exploitation, as the victim must visit a crafted link or page containing the injected script [1].

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of an authenticated user's browser session [1]. This can lead to disclosure of sensitive information (confidentiality impact) and potential unauthorized modification of data (integrity impact) within the affected WMS environment [1]. The CVSS v3.1 base score is 6.1 (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N) [1].

Mitigation

The vulnerability is fixed in Dell Wyse Management Suite version 5.2 [1]. Users should upgrade to WMS 5.2 or later to mitigate the risk. No workarounds are provided in the advisory [1].