Sign-up

ID

VAR-201301-0050


CVE

CVE-2012-6272


TITLE

Dell OpenManage Server Administrator version 7.1.0.1 DOM-based XSS vulnerability

Trust: 0.8

sources: CERT/CC: VU#950172

DESCRIPTION

Multiple cross-site scripting (XSS) vulnerabilities in Dell OpenManage Server Administrator 6.5.0.1, 7.0.0.1, and 7.1.0.1 allow remote attackers to inject arbitrary web script or HTML via the topic parameter to html/index_main.htm in (1) help/sm/en/Output/wwhelp/wwhimpl/js/, (2) help/sm/es/Output/wwhelp/wwhimpl/js/, (3) help/sm/ja/Output/wwhelp/wwhimpl/js/, (4) help/sm/de/Output/wwhelp/wwhimpl/js/, (5) help/sm/fr/Output/wwhelp/wwhimpl/js/, (6) help/sm/zh/Output/wwhelp/wwhimpl/js/, (7) help/hip/en/msgguide/wwhelp/wwhimpl/js/, or (8) help/hip/en/msgguide/wwhelp/wwhimpl/common/. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may let the attacker steal cookie-based authentication credentials and launch other attacks. Dell OpenManage Server Administrator (OMSA) is a system management solution of Dell (Dell). The solution supports online diagnosis, system operation detection, equipment management, etc. The vulnerability is caused by the program not properly validating the input passed to help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main before returning it to the user. ---------------------------------------------------------------------- The final version of the CSI 6.0 has been released. Find out why this is not just another Patch Management solution: http://secunia.com/blog/325/ ---------------------------------------------------------------------- TITLE: Dell OpenManage Server Administrator "topic" Cross-Site Scripting Vulnerability SECUNIA ADVISORY ID: SA51764 VERIFY ADVISORY: Secunia.com http://secunia.com/advisories/51764/ Customer Area (Credentials Required) https://ca.secunia.com/?page=viewadvisory&vuln_id=51764 RELEASE DATE: 2013-01-09 DISCUSS ADVISORY: http://secunia.com/advisories/51764/#comments AVAILABLE ON SITE AND IN CUSTOMER AREA: * Last Update * Popularity * Comments * Criticality Level * Impact * Where * Solution Status * Operating System / Software * CVE Reference(s) http://secunia.com/advisories/51764/ ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS https://ca.secunia.com/?page=viewadvisory&vuln_id=51764 ONLY AVAILABLE WITH SECUNIA CSI AND SECUNIA PSI: * AUTOMATED SCANNING http://secunia.com/vulnerability_scanning/personal/ http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/ DESCRIPTION: A vulnerability has been reported in Dell OpenManage Server Administrator, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the "topic" parameter to e.g. help/sm/en/Output/wwhelp/wwhimpl/js/html/index_main.htm is not properly sanitised before being returned to the user. SOLUTION: No official solution is currently available. PROVIDED AND/OR DISCOVERED BY: US-CERT credits Tenable Network Security. ORIGINAL ADVISORY: US-CERT VU#950172: http://www.kb.cert.org/vuls/id/950172 OTHER REFERENCES: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ DEEP LINKS: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED DESCRIPTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXTENDED SOLUTION: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ EXPLOIT: Further details available in Customer Area: http://secunia.com/vulnerability_intelligence/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.88

sources: NVD: CVE-2012-6272 // CERT/CC: VU#950172 // JVNDB: JVNDB-2013-001028 // BID: 57212 // VULHUB: VHN-59553 // VULMON: CVE-2012-6272 // PACKETSTORM: 119392

AFFECTED PRODUCTS

vendor:dellmodel:openmanage server administratorscope:eqversion:6.5.0.1

Trust: 2.4

vendor:dellmodel:openmanage server administratorscope:eqversion:7.0.0.1

Trust: 2.4

vendor:dellmodel:openmanage server administratorscope:eqversion:7.1.0.1

Trust: 2.4

vendor:dell computermodel: - scope: - version: -

Trust: 0.8

vendor:oraclemodel: - scope: - version: -

Trust: 0.8

sources: CERT/CC: VU#950172 // JVNDB: JVNDB-2013-001028 // CNNVD: CNNVD-201301-125 // NVD: CVE-2012-6272

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2012-6272
value: MEDIUM

Trust: 1.6

nvd@nist.gov: CVE-2012-6272
value: MEDIUM

Trust: 1.0

CNNVD: CNNVD-201301-125
value: MEDIUM

Trust: 0.6

VULHUB: VHN-59553
value: MEDIUM

Trust: 0.1

VULMON: CVE-2012-6272
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2012-6272
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

NVD: CVE-2012-6272
severity: MEDIUM
baseScore: 5.0
vectorString: NONE
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-59553
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#950172 // VULHUB: VHN-59553 // VULMON: CVE-2012-6272 // JVNDB: JVNDB-2013-001028 // CNNVD: CNNVD-201301-125 // NVD: CVE-2012-6272

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.9

sources: VULHUB: VHN-59553 // JVNDB: JVNDB-2013-001028 // NVD: CVE-2012-6272

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201301-125

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 119392 // CNNVD: CNNVD-201301-125

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2013-001028

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-59553 // 
            
            
            
            VULMON: CVE-2012-6272

PATCH
title:Dell OpenManage Server Administratorurl:http://content.dell.com/us/en/enterprise/d/solutions/openmanage-server-administrator
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2013-001028

EXTERNAL IDS
db:CERT/CCid:VU#950172
Trust: 3.5
db:NVDid:CVE-2012-6272
Trust: 2.9
db:JVNid:JVNVU97486520
Trust: 0.8
db:JVNDBid:JVNDB-2013-001028
Trust: 0.8
db:SECUNIAid:51764
Trust: 0.8
db:CNNVDid:CNNVD-201301-125
Trust: 0.7
db:BIDid:57212
Trust: 0.4
db:EXPLOIT-DBid:38179
Trust: 0.2
db:VULHUBid:VHN-59553
Trust: 0.1
db:VULMONid:CVE-2012-6272
Trust: 0.1
db:PACKETSTORMid:119392
Trust: 0.1
sources:
            
            
            CERT/CC: VU#950172 // 
            
            
            
            VULHUB: VHN-59553 // 
            
            
            
            VULMON: CVE-2012-6272 // 
            
            
            
            BID: 57212 // 
            
            
            
            JVNDB: JVNDB-2013-001028 // 
            
            
            
            PACKETSTORM: 119392 // 
            
            
            
            CNNVD: CNNVD-201301-125 // 
            
            
            
            NVD: CVE-2012-6272

REFERENCES
url:http://www.kb.cert.org/vuls/id/950172
Trust: 2.8
url:about vulnerability notes
Trust: 0.8
url:contact us about this vulnerability
Trust: 0.8
url:provide a vendor statement
Trust: 0.8
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-6272
Trust: 0.8
url:http://jvn.jp/cert/jvnvu97486520
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2012-6272
Trust: 0.8
url:http://secunia.com/advisories/51764
Trust: 0.6
url:http://dell.com
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/79.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://www.exploit-db.com/exploits/38179/
Trust: 0.1
url:http://secunia.com/advisories/51764/#comments
Trust: 0.1
url:http://secunia.com/vulnerability_intelligence/
Trust: 0.1
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/corporate/wsus_sccm_3rd_third_party_patching/
Trust: 0.1
url:http://secunia.com/advisories/51764/
Trust: 0.1
url:http://secunia.com/vulnerability_scanning/personal/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/blog/325/
Trust: 0.1
url:https://ca.secunia.com/?page=viewadvisory&vuln_id=51764
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            CERT/CC: VU#950172 // 
            
            
            
            VULHUB: VHN-59553 // 
            
            
            
            VULMON: CVE-2012-6272 // 
            
            
            
            BID: 57212 // 
            
            
            
            JVNDB: JVNDB-2013-001028 // 
            
            
            
            PACKETSTORM: 119392 // 
            
            
            
            CNNVD: CNNVD-201301-125 // 
            
            
            
            NVD: CVE-2012-6272

CREDITS
Tenable Network Security
Trust: 0.3
sources:
            
            
            BID: 57212

SOURCES
db:CERT/CCid:VU#950172
db:VULHUBid:VHN-59553
db:VULMONid:CVE-2012-6272
db:BIDid:57212
db:JVNDBid:JVNDB-2013-001028
db:PACKETSTORMid:119392
db:CNNVDid:CNNVD-201301-125
db:NVDid:CVE-2012-6272

LAST UPDATE DATE
2024-09-09T23:20:57.191000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#950172date:2015-09-17T00:00:00
db:VULHUBid:VHN-59553date:2013-01-30T00:00:00
db:VULMONid:CVE-2012-6272date:2013-01-30T00:00:00
db:BIDid:57212date:2013-01-09T00:00:00
db:JVNDBid:JVNDB-2013-001028date:2013-01-28T00:00:00
db:CNNVDid:CNNVD-201301-125date:2013-01-11T00:00:00
db:NVDid:CVE-2012-6272date:2013-01-30T05:00:00

SOURCES RELEASE DATE
db:CERT/CCid:VU#950172date:2013-01-09T00:00:00
db:VULHUBid:VHN-59553date:2013-01-25T00:00:00
db:VULMONid:CVE-2012-6272date:2013-01-25T00:00:00
db:BIDid:57212date:2013-01-09T00:00:00
db:JVNDBid:JVNDB-2013-001028date:2013-01-11T00:00:00
db:PACKETSTORMid:119392date:2013-01-09T07:49:45
db:CNNVDid:CNNVD-201301-125date:2013-01-11T00:00:00
db:NVDid:CVE-2012-6272date:2013-01-25T12:00:47.400