[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] DSA-2019-031: Dell EMC IsilonSD Management Server Cross-Site Scripting (XSS) Vulnerabilities
From: <secure () Dell ! com>
Date: 2019-04-08 16:50:52
Message-ID: 4024b53e96364c88b73fdf84c6728224 () ausx13mps321 ! AMER ! DELL ! COM
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
DSA-2019-031: Dell EMC IsilonSD Management Server Cross-Site Scripting (XSS) Vulnerabilities
Dell EMC Identifier: DSA-2019-031
CVE Identifier: CVE-2019-3708, CVE-2019-3709
Severity: High
Severity Rating: Please refer to the Details section below of individual CVSS Scores for each \
CVE.
Affected products:
Dell EMC IsilonSD Management Server 1.1.0
Summary:
Dell EMC IsilonSD Management Server 1.1.1 contains fixes for two cross-site scripting (XSS) \
security vulnerabilities, which could potentially be exploited by malicious users to compromise \
the affected system.
Details:
Dell EMC IsilonSD Management Server 1.1.1 has been updated for the following XSS \
vulnerabilities:
* Cross-Site Scripting Vulnerability in OVA file upload feature (CVE-2019-3708):
IsilonSD Management Server 1.1.0 contains a cross-site scripting vulnerability while uploading \
an OVA file. A remote attacker can trick an admin user to potentially exploit this \
vulnerability to execute malicious HTML or JavaScript code in the context of the admin user. \
CVSS v3 Base Score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
* Cross-Site Scripting Vulnerability while registering vCenter servers (CVE-2019-3709):
IsilonSD Management Server 1.1.0 contains a cross-site scripting vulnerability while \
registering vCenter servers. A remote attacker can trick an admin user to potentially exploit \
this vulnerability to execute malicious HTML or JavaScript code in the context of the admin \
user. CVSS v3 Base Score: 8.3 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
Resolution:
The following Dell EMC IsilonSD Management Server release contains resolutions to these \
vulnerabilities:
* Dell EMC IsilonSD Management Server 1.1.1
Dell EMC recommends all customers upgrade at the earliest opportunity.
Link to remedies:
Customers can download software from
https://download.emc.com/downloads/DL93395_IsilonSD-Management-Server-1.1.1%C2%A0upgrade-package.rpm?source=OLS
https://download.emc.com/downloads/DL93394_IsilonSD-Management-Server-1.1.1-installation-package.ova?source=OLS
Credit:
Dell EMC would like to thank Jarrod Farncomb for reporting these vulnerabilities.
Severity Rating
For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307 \
(https://support.emc.com/kb/468307). Dell EMC recommends all customers take into account both \
the base score and any relevant temporal and environmental scores which may impact the \
potential severity associated with particular security vulnerability.
Legal Information
Read and use the information in this Dell EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any questions \
regarding this advisory, contact Dell EMC Technical Support \
(https://support.emc.com/servicecenter/contactEMC/). Dell EMC distributes Dell EMC Security \
Advisories, in order to bring to the attention of users of the affected Dell EMC products, \
important security information. Dell EMC recommends that all users determine the applicability \
of this information to their individual situations and take appropriate action. The information \
set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all \
warranties, either express or implied, including the warranties of merchantability, fitness for \
a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, \
be liable for any damages whatsoever including direct, indirect, incidental, consequential, \
loss of bus iness profits or special damages, even if Dell EMC or its suppliers have been \
advised of the possibility of such damages. Some states do not allow the exclusion or \
limitation of liability for consequential or incidental damages, so the foregoing limitation \
may not apply.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlyre2QACgkQgSlofD2Y
i6fvkQ//SgCXg/PorD2bKuBxKk2A0yYb/DW4mK1/j6W/+3Rin65K+U/kD32x+0es
VjwMsJXhNBdJP5OGmVk/qu8XBFWyvTpImdqH18+v++jmN1FlR5foewGmkJ6tMYMM
JNBUMVQbXVnyAf+sEnHaRAqycFdL09QTdxRLeyVitgeHAfiz2U4tqgCEW46MMOSo
R/6hjtu7pZ9DNhHz0VsxI9Iszaz2aKN7XxiGym/dFDaX3mYrA1NtEvzE4iOiJo7N
r7U4oXaBU4LyPnG8M3/Pm7SOtiCjhlajO9m8qExnHMS4jYxJx34eGDtKUdwNTk0Y
3Yj/3sD+dC/WL7G8MtvSqoOQQZNypobaZAfdjtUwrLID0ugEPIYwXJK9PupauVlA
y03SCUUw0J0VC8TxDY1Re8+MvbCTKU9V5DXBEE6/wv34MWrzs4fFSadFv7ljbTaI
N9Xewi6c7uCOZU3iSig4OBAu55xn5UN+sDsGVaaElWFv1Z2X6Je8CzeDABUEg3GF
0h0imJBQxwsQMCHylEdDkLTq3YtBw+ob5JlMVQQhteU22lHZzVvaxEmqZMpftMjg
WPo/cXG+wsOA142ubzxBMd2Jm0tkcaimrSnWnUCD5d6M/XiiJ2dZ4PnTeewTzfZl
rfICguKHZx4phQvTUD3FNDLOb0Lki17+Bo4ECwMhG316UEXcDX4=
=teP4
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic