Remote DOM XSS and CRLF Injection in HPE Integrated Lights-Out and SimpliVity Products
CVE-2021-29210
Key Information:
- Vendor
HP
- Vendor
- CVE Published:
- 25 May 2021
What is CVE-2021-29210?
A remote DOM-based cross-site scripting (XSS) and carriage return line feed (CRLF) injection vulnerability has been identified in HPE Integrated Lights-Out 4 (iLO 4) and various HPE SimpliVity models. This issue affects versions prior to 2.78, potentially allowing attackers to exploit the vulnerabilities for unauthorized actions, leading to elevated access privileges or manipulation of data. Users are urged to update their systems and apply necessary patches to mitigate the risks associated with this vulnerability.
Affected Version(s)
HPE Integrated Lights-Out 4 (iLO 4) For HPE Gen9 servers; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers Prior to HPE Integrated Lights-Out 4 (iLO 4) version 2.78
HPE Integrated Lights-Out 4 (iLO 4) For HPE Gen9 servers; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers Prior to HPE Integrated Lights-Out 5 (iLO 5) version 2.44
HPE Integrated Lights-Out 4 (iLO 4) For HPE Gen9 servers; HPE Integrated Lights-Out 5 (iLO 5) for HPE Gen10 Servers = unspecified