Remote XSS Vulnerability in HPE Integrated Lights-Out Products
CVE-2021-29205

4.8MEDIUM

Key Information:

Vendor: HP
Status: HPe Integrated Lights-out 4 (ilo 4) For HPe Gen9 Servers; HPe Integrated Lights-out 5 (ilo 5) For HPe Gen10 Servers
Vendor: CVE Published:; 25 May 2021

Summary

A remote cross-site scripting vulnerability has been identified in various HPE Integrated Lights-Out (iLO) products and HPE SimpliVity systems. This vulnerability may allow an attacker to execute arbitrary JavaScript code in the context of the user's session, posing significant risks to system integrity and data confidentiality. Affected versions include those prior to version 2.78 across several HPE server lines. Users are urged to update to the latest versions to mitigate potential exploitation.

Affected Version(s)

HPE Integrated Lights-Out 4 (iLO 4) For HPE Gen9 servers; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers Prior to HPE Integrated Lights-Out 4 (iLO 4) version 2.78

HPE Integrated Lights-Out 4 (iLO 4) For HPE Gen9 servers; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers Prior to HPE Integrated Lights-Out 5 (iLO 5) version 2.44

HPE Integrated Lights-Out 4 (iLO 4) For HPE Gen9 servers; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers = unspecified

References

https://support.hpe.com/hpsc/doc/public/display?docLocale...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
May 25, 2021
Vulnerability Reserved
Mar 25, 2021