CVE-2025-36580

Vulnerability

An improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability exists in Dell Wyse Management Suite (WMS) versions prior to 5.2 [1]. This flaw allows stored or reflected XSS, requiring a high-privileged attacker with remote access to inject arbitrary script code into web pages served by the application [1].

Exploitation

An attacker must have high privileges (e.g., administrator access) and remote network connectivity to the WMS interface. The exploitation sequence involves crafting a malicious input that is not properly sanitized, leading to script execution in the context of another authenticated user's session after they interact with the affected page [1]. User interaction (e.g., clicking a link or viewing a crafted page) is required for the attack to succeed [1]. Note: CVSS v3.1 vector indicates network access, low attack complexity, and required user interaction [1].

Impact

Successful exploitation results in script injection within the web browser of the target user. The attacker can potentially steal session cookies, modify page content, or perform actions on behalf of the victim, leading to confidentiality and integrity impact (CVSS base score 6.1). The attack does not affect availability [1]. The compromise is scoped to the web application's security context.

Mitigation

The vendor, Dell, has addressed this vulnerability in Wyse Management Suite version 5.2, released on or around June 10, 2025 [1]. Upgrading to WMS 5.2 or later is the recommended mitigation. No workaround is provided in the available references. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].